Skip to content

Keycloak Denial of Service via account lockout

Low severity GitHub Reviewed Published Jun 12, 2024 in keycloak/keycloak • Updated Jun 12, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 24.0.0

Patched versions

24.0.0

Description

In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username.

References

@abstractj abstractj published to keycloak/keycloak Jun 12, 2024
Published to the GitHub Advisory Database Jun 12, 2024
Reviewed Jun 12, 2024
Last updated Jun 12, 2024

Severity

Low
3.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-cq42-vhv7-xr7p

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.