Headline
GHSA-8wm9-24qg-m5qj: Keycloak has a brute force login protection bypass
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Keycloak has a brute force login protection bypass
Moderate severity GitHub Reviewed Published Sep 3, 2024 to the GitHub Advisory Database • Updated Sep 3, 2024
Related news
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.