Key Information Vulnerability Description CVE Number: CVE-2024-7318 Public Disclosure Date: September 9, 2024 Last Modified Date: September 9, 2024 Severity: Low Description: A vulnerability has been identified in Keycloak. When using FreeOTP, if the OTP token period is set to 30 seconds (default), expired OTP codes can still be used. This extends the attack window, allowing malicious actors to abuse the system and steal accounts. Additionally, this increases the attack surface, as at any given time, two OTPs are valid. Scoring CVSS v3 Score: 4.8 Scoring Factors: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None Affected Packages and Red Hat Security Patches Affected Packages: - rhbk/keycloak-operator-bundle - rhbk/keycloak-rhel9 - rhbk/keycloak-rhel9-operator Affected Component: keycloak-core Status: Fixed Patch Release Date: September 10, 2024 Attribution Discoverer: Todd Cullum (Red Hat) Frequently Asked Questions Why does Red Hat’s CVSS v3 score or impact differ from other vendors? My product is listed as “under investigation” or “affected”—when will Red Hat release a patch to fix this vulnerability? If my product is listed as “not being fixed,” what should I do? What are mitigations? I have a Red Hat product, but it’s not on the above list—am I affected? Why is my security scanner reporting this vulnerability on my product, even though my product version is fixed or unaffected? Additional Information Page Generated: September 9, 2024, 16:24:38 UTC Copyright: 2021