logo

Database

Account lockout In org.keycloak:keycloak-services

Description

Keycloak Denial of Service via account lockout In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-17222. NVD-2024-17223. OSV-2024-17224. GHSA-cq42-vhv7-xr7p5. GHSA-3hrr-xwvg-hxvr6. GCVE-2024-17227. ACCESS-CVE-2024-1722

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-cq42-vhv7-xr7p2. https://github.com/keycloak/keycloak/issues/296033. https://github.com/keycloak/keycloak/issues/29603#issuecomment-21274996274. https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e5. https://bugzilla.redhat.com/show_bug.cgi?id=22653896. https://github.com/keycloak/keycloak

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.