Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2024-4629

Improper Enforcement of a Single, Unique Action

Published: Sep 03, 2024 | Modified: Nov 21, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Ubuntu
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-4629
CWEhttps://cwe.mitre.org/data/definitions/837.html

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Weakness

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

Affected Software

NameVendorStart VersionEnd Version
KeycloakRedhat*24.0.3 (excluding)
Red Hat Build of KeycloakRedHatorg.keycloak-keycloak-parent*
Red Hat build of Keycloak 22RedHatrhbk/keycloak-operator-bundle:22.0.12-1*
Red Hat build of Keycloak 22RedHatrhbk/keycloak-rhel9:22-17*
Red Hat build of Keycloak 22RedHatrhbk/keycloak-rhel9-operator:22-20*
Red Hat Single Sign-On 7RedHatorg.keycloak-keycloak-parent*
Red Hat Single Sign-On 7.6 for RHEL 7RedHatrh-sso7-keycloak-0:18.0.16-1.redhat_00001.1.el7sso*
Red Hat Single Sign-On 7.6 for RHEL 8RedHatrh-sso7-keycloak-0:18.0.16-1.redhat_00001.1.el8sso*
Red Hat Single Sign-On 7.6 for RHEL 9RedHatrh-sso7-keycloak-0:18.0.16-1.redhat_00001.1.el9sso*
RHEL-8 based Middleware ContainersRedHatrh-sso-7/sso76-openshift-rhel8:7.6-52*

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use