Key Information 1. Vulnerability Description: - Name: CVE-2024-4629 - Public Disclosure Date: September 4, 2024 - Last Modified Date: September 3, 2024 - Severity: Low - Affected Component: org.keycloak-keycloak-parent 2. Vulnerability Impact: - Description: This vulnerability exists in Keycloak and allows attackers to bypass brute-force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the failure attempt limit before the system locks them out. - Impact: This vulnerability enables attackers to attempt more password guesses on affected systems, potentially compromising account security. 3. Mitigation Measures: - Currently Available Mitigations: None or not compliant with Red Hat Product Security standards. - Recommendation: No specific mitigation measures provided. 4. Related Links: - Bugzilla: Bugzilla 2276761 - CWE: CWE-837 - FAQ: Frequently Asked Questions about CVE-2024-4629 5. Affected Packages and Red Hat Security Patches: - Affected Packages: Red Hat Build of Keycloak, Red Hat JBoss Enterprise Application Platform 8, Red Hat Single Sign-On 7 - Status: Affected 6. CVSS Score: - CVSS v3 Base Score: 6.5 - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Impact: Confidentiality, Integrity, Availability 7. Frequently Asked Questions: - Why does Red Hat’s CVSS v3 score differ from other vendors’? - My product is listed as “Under Investigation” or “Affected”—when will Red Hat release a fix? - If my product is listed as “Unfixable,” what should I do? - What are mitigations? - I have a Red Hat product, but it’s not listed above—am I affected? - Why does my security scanner report my product is affected by this vulnerability, even though my product version is patched or unaffected? 8. Disclaimer: - This page is auto-generated and has not been checked for errors or omissions. - For clarifications or corrections, contact the Red Hat Product Security team. Related Links Red Hat Product Security Red Hat Blog Red Hat Summit