A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
                
            Metrics
Affected Vendors & Products
References
        History
                    Fri, 22 Nov 2024 12:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Mon, 16 Sep 2024 16:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Redhat build Of Keycloak Redhat enterprise Linux Redhat keycloak Redhat openshift Container Platform Redhat openshift Container Platform For Linuxone Redhat openshift Container Platform For Power Redhat openshift Container Platform Ibm Z Systems Redhat single Sign-on | |
| CPEs | cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:* cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:* cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:* cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* | |
| Vendors & Products | Redhat build Of Keycloak Redhat enterprise Linux Redhat keycloak Redhat openshift Container Platform Redhat openshift Container Platform For Linuxone Redhat openshift Container Platform For Power Redhat openshift Container Platform Ibm Z Systems Redhat single Sign-on | 
Mon, 09 Sep 2024 19:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Redhat rhosemc | |
| CPEs | cpe:/a:redhat:build_keycloak:22::el9 cpe:/a:redhat:red_hat_single_sign_on:7.6 cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 cpe:/a:redhat:rhosemc:1.0::el8 | |
| Vendors & Products | Redhat rhosemc | |
| References |  | 
 | 
Tue, 03 Sep 2024 23:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | |
| Metrics | threat_severity 
 | threat_severity 
 | 
Tue, 03 Sep 2024 21:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Tue, 03 Sep 2024 20:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. | |
| Title | Keycloak: potential bypass of brute force protection | |
| First Time appeared | Redhat Redhat build Keycloak Redhat jboss Enterprise Application Platform Redhat red Hat Single Sign On | |
| Weaknesses | CWE-837 | |
| CPEs | cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:red_hat_single_sign_on:7 | |
| Vendors & Products | Redhat Redhat build Keycloak Redhat jboss Enterprise Application Platform Redhat red Hat Single Sign On | |
| References |  | |
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: redhat
Published: 2024-09-03T19:42:01.318Z
Updated: 2025-09-23T05:09:48.961Z
Reserved: 2024-05-07T20:47:03.184Z
Link: CVE-2024-4629
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-11-14T16:59:26.284Z
 NVD
                        NVD
                    Status : Modified
Published: 2024-09-03T20:15:09.003
Modified: 2024-11-21T09:43:14.917
Link: CVE-2024-4629
 Redhat
                        Redhat