A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.
Fixes

Solution

No solution given by the vendor.


Workaround

Red Hat Product Security is not aware of a way to completely mitigate this issue. However, the following techniques can be used to help prevent exploitation: - Put limits on frequency of account registration, restricting how often an attacker could utilize this attack - Restrict new account registration to not allow email addresses in the username field, for example, by not allowing the "@" symbol. Note: this cannot prevent attacks against existing users who have registered with an email address. If this vulnerability has been triggered, an administrator has two options to remedy it manually by modifying the second account (of the attacker): - Delete the account - Change the username

History

Fri, 14 Feb 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat keycloak
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:redhat:keycloak:23.0.5:*:*:*:*:*:*:*
Vendors & Products Redhat keycloak

Thu, 19 Sep 2024 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 18 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-07T11:19:54.980Z

Reserved: 2024-02-21T19:39:16.206Z

Link: CVE-2024-1722

cve-icon Vulnrichment

Updated: 2024-08-01T18:48:21.816Z

cve-icon NVD

Status : Analyzed

Published: 2024-02-29T01:43:54.010

Modified: 2025-02-14T17:24:40.253

Link: CVE-2024-1722

cve-icon Redhat

Severity : Low

Publid Date: 2024-02-21T00:00:00Z

Links: CVE-2024-1722 - Bugzilla

cve-icon OpenCVE Enrichment

No data.