{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1722", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-02-21T19:39:16.206Z", "datePublished": "2024-02-27T17:39:13.261Z", "dateUpdated": "2024-11-06T14:50:56.629Z"}, "containers": {"cna": {"title": "Keycloak-core: dos via account lockout", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in."}], "affected": [{"versions": [{"status": "affected", "version": "4.15.0"}], "packageName": "keycloak-core", "collectionURL": "https://bitbucket.org/b_c/jose4j/src/master/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-1722", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389", "name": "RHBZ#2265389", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-02-21T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-645", "description": "Overly Restrictive Account Lockout Mechanism", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-645: Overly Restrictive Account Lockout Mechanism", "workarounds": [{"lang": "en", "value": "Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:\n- Put limits on frequency of account registration, restricting how often an attacker could utilize this attack \n- Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the \"@\" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address.\n\nIf this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):\n- Delete the account\n- Change the username"}], "timeline": [{"lang": "en", "time": "2024-02-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-21T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Maor Abutbul (CyberArk) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-06T14:50:56.629Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1722", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-29T20:52:47.119910Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:05.586Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:48:21.816Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-1722", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389", "name": "RHBZ#2265389", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-1722", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389", "name": "RHBZ#2265389", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:48:21.816Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1722", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-29T20:52:47.119910Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:41.173Z"}}], "cna": {"title": "Keycloak-core: dos via account lockout", "credits": [{"lang": "en", "value": "Red Hat would like to thank Maor Abutbul (CyberArk) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "4.15.0"}], "packageName": "keycloak-core", "collectionURL": "https://bitbucket.org/b_c/jose4j/src/master/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "keycloak-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "keycloak-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-02-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-21T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-02-21T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-1722", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389", "name": "RHBZ#2265389", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:\n- Put limits on frequency of account registration, restricting how often an attacker could utilize this attack \n- Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the \"@\" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address.\n\nIf this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):\n- Delete the account\n- Change the username"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-645", "description": "Overly Restrictive Account Lockout Mechanism"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-06T14:50:56.629Z"}, "x_redhatCweChain": "CWE-645: Overly Restrictive Account Lockout Mechanism"}}, "cveMetadata": {"cveId": "CVE-2024-1722", "state": "PUBLISHED", "dateUpdated": "2024-11-06T14:50:56.629Z", "dateReserved": "2024-02-21T19:39:16.206Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-02-27T17:39:13.261Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Keycloak. En determinadas condiciones, este problema puede permitir que un atacante remoto no autenticado bloquee el inicio de sesi\u00f3n de otras cuentas."}], "id": "CVE-2024-1722", "lastModified": "2024-02-29T13:49:29.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-02-29T01:43:54.010", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-1722"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-645"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Maor Abutbul (CyberArk) for reporting this issue.", "bugzilla": {"description": "keycloak-core: DoS via account lockout", "id": "2265389", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265389"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-645", "details": ["A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.", "A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in."], "mitigation": {"lang": "en:us", "value": "Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation:\n- Put limits on frequency of account registration, restricting how often an attacker could utilize this attack \n- Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the \"@\" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address.\nIf this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker):\n- Delete the account\n- Change the username"}, "name": "CVE-2024-1722", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "keycloak-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "keycloak-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-02-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1722\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1722"], "statement": "While this attack enables locking out an individual from their account, the entire system will remain in operation. The follow conditions are required for successful exploitation:\n- The realm is configured to use \"User (Self) registration\"\n- The user registers with a username in email format\n- The attacker discovers a valid email address for an account\nDue to these conditions, the security impact has been rated Low.", "threat_severity": "Low"}