Description

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

INFO

Published Date :

2024-09-09T18:50:36.583Z

Last Modified :

2026-01-26T15:11:07.763Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2024-7318 vulnerability.

Vendors Products
Redhat
  • Build Keycloak
  • Build Of Keycloak
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7318.

URL Resource
https://access.redhat.com/errata/RHSA-2024:6502 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:6503 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-7318 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2301876 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-7318 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-7318 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact