Improper Authentication in Keycloak - CVE-2024-7318

 

Improper Authentication in Keycloak - CVE-2024-7318

Published: September 20, 2024 / Updated: October 14, 2024


Vulnerability identifier: #VU97628
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-7318
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keycloak
Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the generated OTP token remains valid longer than its expiration time when using FreeOTP. This increases the attack window for malicious actors to abuse the system and compromise accounts.

Note, the expiration time is 30 seconds, while the token remains valid for 1 minute in total.


How to mitigate CVE-2024-7318

Install updates from vendor's website.

Sources