{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7318", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-07-31T03:04:15.355Z", "datePublished": "2024-09-09T18:50:36.583Z", "dateUpdated": "2024-10-08T01:58:19.072Z"}, "containers": {"cna": {"title": "Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.\r\nA one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "keycloak-core", "cpes": ["cpe:/a:redhat:build_keycloak:24"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "24.0.7-4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:24::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "24-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:24::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "24-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:24::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6502", "name": "RHSA-2024:6502", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6503", "name": "RHSA-2024:6503", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7318", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301876", "name": "RHBZ#2301876", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-09T13:55:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-324", "description": "Use of a Key Past its Expiration Date", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-324: Use of a Key Past its Expiration Date", "timeline": [{"lang": "en", "time": "2024-07-31T03:04:38+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-09T13:55:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Todd Cullum (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-10-08T01:58:19.072Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T19:08:16.666351Z", "id": "CVE-2024-7318", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T19:08:33.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7318", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-09T19:08:16.666351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T19:08:28.083Z"}}], "cna": {"title": "Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity", "credits": [{"lang": "en", "value": "This issue was discovered by Todd Cullum (Red Hat)."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:24"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "keycloak-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "versions": [{"status": "unaffected", "version": "24.0.7-4", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "versions": [{"status": "unaffected", "version": "24-16", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:24::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 24", "versions": [{"status": "unaffected", "version": "24-16", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-07-31T03:04:38+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-09T13:55:00+00:00", "value": "Made public."}], "datePublic": "2024-09-09T13:55:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6502", "name": "RHSA-2024:6502", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6503", "name": "RHSA-2024:6503", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7318", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301876", "name": "RHBZ#2301876", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.\r\nA one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-324", "description": "Use of a Key Past its Expiration Date"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-10-07T22:08:17.302Z"}, "x_redhatCweChain": "CWE-324: Use of a Key Past its Expiration Date"}}, "cveMetadata": {"cveId": "CVE-2024-7318", "state": "PUBLISHED", "dateUpdated": "2024-10-07T22:08:17.302Z", "dateReserved": "2024-07-31T03:04:15.355Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-09T18:50:36.583Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2383FB8-896C-4C88-8256-88D8EEA0C0CE", "versionEndExcluding": "24.0.7", "versionStartIncluding": "22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.\r\nA one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak. Los c\u00f3digos OTP vencidos a\u00fan se pueden usar al usar FreeOTP cuando el per\u00edodo del token OTP est\u00e1 configurado en 30 segundos (predeterminado). En lugar de vencer y considerarse inutilizables despu\u00e9s de unos 30 segundos, los tokens son v\u00e1lidos durante 30 segundos adicionales, lo que suma un total de 1 minuto. Un c\u00f3digo de acceso de un solo uso que sea v\u00e1lido por m\u00e1s tiempo que su tiempo de vencimiento aumenta la ventana de ataque para que los actores maliciosos abusen del sistema y comprometan las cuentas. Adem\u00e1s, aumenta la superficie de ataque porque en un momento dado, dos OTP son v\u00e1lidas."}], "id": "CVE-2024-7318", "lastModified": "2024-10-07T20:15:17.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-09T19:15:14.237", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://access.redhat.com/errata/RHSA-2024:6502"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://access.redhat.com/errata/RHSA-2024:6503"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-7318"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301876"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-324"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Todd Cullum (Red Hat).", "affected_release": [{"advisory": "RHSA-2024:6503", "cpe": "cpe:/a:redhat:build_keycloak:24", "package": "keycloak-core", "product_name": "Red Hat Build of Keycloak", "release_date": "2024-09-09T00:00:00Z"}, {"advisory": "RHSA-2024:6502", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-operator-bundle:24.0.7-4", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-09-09T00:00:00Z"}, {"advisory": "RHSA-2024:6502", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-rhel9:24-16", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-09-09T00:00:00Z"}, {"advisory": "RHSA-2024:6502", "cpe": "cpe:/a:redhat:build_keycloak:24::el9", "package": "rhbk/keycloak-rhel9-operator:24-16", "product_name": "Red Hat build of Keycloak 24", "release_date": "2024-09-09T00:00:00Z"}], "bugzilla": {"description": "keycloak-core: One Time Passcode (OTP) is valid longer than expiration timeSeverity", "id": "2301876", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301876"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-324", "details": ["A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.\nA one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.", "A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute.\nA one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid."], "name": "CVE-2024-7318", "public_date": "2024-09-09T13:55:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7318\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7318"], "statement": "This finding was marked Moderate because it is a 2x increase, which is not too long.\nRed Hat has evaluated this vulnerability and it only affects the Red Hat Build of Keycloak (RHBK).", "threat_severity": "Low"}