Headline
GHSA-xv7h-95r7-595j: Incorrect implementation of lockout feature in Keycloak
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Incorrect implementation of lockout feature in Keycloak
High severity GitHub Reviewed Published Aug 23, 2022 • Updated Aug 30, 2022
Related news
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
New Red Hat Single Sign-On 7.4.9 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28491: jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception * CVE-2020-35509: keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity * CVE-2021-3513: keycloak: Brute force attack is possible even after the account lockout * CVE-2021-3632: keycloak: An...
New Red Hat Single Sign-On 7.4.9 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28491: jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception * CVE-2020-35509: keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity * CVE-2021-3513: keycloak: Brute force attack is possible even after the account lockout * CVE-2021-3632: keycloak: An...