CVE-2024-4629

MEDIUM
Published Sep 3, 2024 Modified Nov 21, 2024 CWE-837

Description

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

CVSS v3.1 Score

6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weakness Type (CWE)

CWE-837 CWE-837

Affected Products

Vendor Product
redhat keycloak
redhat build_of_keycloak
redhat single_sign-on
redhat single_sign-on
redhat enterprise_linux
redhat enterprise_linux
redhat enterprise_linux
redhat openshift_container_platform
redhat openshift_container_platform
redhat openshift_container_platform_for_linuxone
redhat openshift_container_platform_for_linuxone
redhat openshift_container_platform_for_power
redhat openshift_container_platform_for_power
redhat openshift_container_platform_ibm_z_systems
redhat openshift_container_platform_ibm_z_systems
redhat enterprise_linux

References

Frequently Asked Questions

What is CVE-2024-4629? +
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. It has a CVSS v3.1 base score of 6.5 (MEDIUM).
How severe is CVE-2024-4629? +
CVE-2024-4629 has a CVSS v3.1 score of 6.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.
What products are affected by CVE-2024-4629? +
CVE-2024-4629 affects products from redhat, specifically: build_of_keycloak, enterprise_linux, keycloak, openshift_container_platform, openshift_container_platform_for_linuxone, openshift_container_platform_for_power, openshift_container_platform_ibm_z_systems, single_sign-on. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-4629? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-12123

A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When …
CVE-2024-11717

Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they …
CVE-2024-11716

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a …
CVE-2026-42609 8.1

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a …
CVE-2025-54315 7.1

The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness.
CVE-2024-11301 6.5

In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-4629 — free, no signup required.

Start Free Scan