#VU16029 Brute-force attack in Keycloak - CVE-2018-14657
Published: November 23, 2018
Vulnerability identifier: #VU16029
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-14657
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Keycloak
Keycloak
Software vendor:
Keycloak
Keycloak
Description
The vulnerability allows remote attacker to perform brute-force attack on the target system.
The vulnerability exists due to improper implementation of the Brute Force detection algorithm doesn't enforce its protection measures when TOPT enabled. A remote attacker can perform a brute force attack, bypass authentication and gain access to device functions.
Successful exploitation of this vulnerability may result in unauthorized access to the system.
The vulnerability exists due to improper implementation of the Brute Force detection algorithm doesn't enforce its protection measures when TOPT enabled. A remote attacker can perform a brute force attack, bypass authentication and gain access to device functions.
Successful exploitation of this vulnerability may result in unauthorized access to the system.
Remediation
Install update from vendor's website.