Description

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

Remediation

References

https://access.redhat.com/security/cve/CVE-2020-1744

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744

Related Vulnerabilities

CVE-2023-24425 Vulnerability in maven package com.cloudbees.jenkins.plugins:kubernetes-credentials-provider

CVE-2020-9486 Vulnerability in maven package org.apache.nifi:nifi-security-utils

CVE-2015-5172 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-login

CVE-2023-28709 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-syntax-xhtml

Severity

Medium

Classification

CWE-755 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory Issue Tracking