CVE-2024-4629 - Red Hat Keycloak Concurrent Request Handling Remote Brute-force Protection Bypass

search cancel

CVE-2024-4629 - Red Hat Keycloak Concurrent Request Handling Remote Brute-force Protection Bypass

book

Article ID: 376876

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

Is the Service Virtualization product vulnerable for the following:

Vulnerability Finding Name: Red Hat Keycloak Concurrent Request Handling Remote Brute-force Protection Bypass

Discussion: Red Hat Keycloak Concurrent Request Handling Remote Brute-force Protection Bypass. Red Hat Keycloak contains a flaw that is triggered when handling multiple concurrent login attempts. This may allow a remote attacker to bypass the brute-force protection limit and exceed the configured limit for failed login attempts.

Product: Red Hat [JBoss Enterprise Application Platform (EAP) (8, 8)], Red Hat [Red Hat Single Sign-On (7, 7)], Red Hat [Keycloak (24.0.5, 24.0.4, 24.0.6, 24.0.3, 25.0.3, 22.0.11)]

CVSS Score: 6.4
CVE-ID: CVE-2024-4629
Target Remediation Date: 12/23/2024

Environment

Service Virtualization 10.7.2

Resolution

Service Virtualization Software Engineering completed their analysis and found that this vulnerability impacts Keycloak release 24.0.3 and less.

DevTest 10.7.2 SP6 (with Service Pack 6) and DevTest 10.8.0 are not vulnerable, as they are using Keycloak release 24.0.4, which is not vulnerable.

Additional Information

Refer to Black Duck also it was fixed in Keycloak 24.0.4.
https://bugzilla.redhat.com/show_bug.cgi?id=2276761

Feedback

thumb_up Yes

thumb_down No