Skip to main content

Build Of Keycloak CVE-2024-7318

MEDIUM
Use of a Key Past its Expiration Date (CWE-324)
2024-09-09 secalert@redhat.com
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 09, 2024 - 19:15 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 64 maven packages depend on org.keycloak:keycloak-core (30 direct, 34 indirect)

Ecosystem-wide dependent count for version 25.0.0.

DescriptionNVD

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

AnalysisAI

A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-324. A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. Affected products include: Redhat Build Of Keycloak.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-9704 HIGH
8.8 May 27

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2026-9802 MEDIUM
6.8 May 28

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th

CVE-2025-7784 MEDIUM
6.5 Jul 18

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

Share

CVE-2024-7318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy