Main Vulnerability Database Vulnerabilities #VU97628

#VU97628 Improper Authentication in Keycloak - CVE-2024-7318

Published: September 20, 2024 / Updated: October 14, 2024

Vulnerability identifier: #VU97628

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-7318

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the generated OTP token remains valid longer than its expiration time when using FreeOTP. This increases the attack window for malicious actors to abuse the system and compromise accounts.

Note, the expiration time is 30 seconds, while the token remains valid for 1 minute in total.

Remediation

Install updates from vendor's website.

External links

https://access.redhat.com/errata/RHSA-2024:6502
https://access.redhat.com/errata/RHSA-2024:6503
https://access.redhat.com/security/cve/CVE-2024-7318
https://bugzilla.redhat.com/show_bug.cgi?id=2301876
https://github.com/keycloak/keycloak/security/advisories/GHSA-xmmm-jw76-q7vg

#VU97628 Improper Authentication in Keycloak - CVE-2024-7318

Description

Remediation

External links

Please verify you're human