Brute-force attack in Keycloak - CVE-2018-14657
Published: November 23, 2018
Vulnerability identifier: #VU16029
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-14657
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Keycloak
Affected software:
Keycloak
Keycloak
Detailed vulnerability description
The vulnerability allows remote attacker to perform brute-force attack on the target system.
The vulnerability exists due to improper implementation of the Brute Force detection algorithm doesn't enforce its protection measures when TOPT enabled. A remote attacker can perform a brute force attack, bypass authentication and gain access to device functions.
Successful exploitation of this vulnerability may result in unauthorized access to the system.
The vulnerability exists due to improper implementation of the Brute Force detection algorithm doesn't enforce its protection measures when TOPT enabled. A remote attacker can perform a brute force attack, bypass authentication and gain access to device functions.
Successful exploitation of this vulnerability may result in unauthorized access to the system.
How to mitigate CVE-2018-14657
Install update from vendor's website.