A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Weakness
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Keycloak | Redhat | * | 13.0.0 (excluding) |
| Red Hat Single Sign-On 7.4.9 | RedHat | * | |
| Red Hat Single Sign-On 7.4 for RHEL 6 | RedHat | rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el6sso | * |
| Red Hat Single Sign-On 7.4 for RHEL 7 | RedHat | rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el7sso | * |
| Red Hat Single Sign-On 7.4 for RHEL 8 | RedHat | rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el8sso | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/102.html
- https://cwe.mitre.org/data/definitions/474.html
- https://cwe.mitre.org/data/definitions/50.html
- https://cwe.mitre.org/data/definitions/509.html
- https://cwe.mitre.org/data/definitions/551.html
- https://cwe.mitre.org/data/definitions/555.html
- https://cwe.mitre.org/data/definitions/560.html
- https://cwe.mitre.org/data/definitions/561.html
- https://cwe.mitre.org/data/definitions/600.html
- https://cwe.mitre.org/data/definitions/644.html
- https://cwe.mitre.org/data/definitions/645.html
- https://cwe.mitre.org/data/definitions/652.html
- https://cwe.mitre.org/data/definitions/653.html