Keycloak Denial of Service via account lockout

In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username.

Published: Jun 12, 2024
Updated: Jun 27, 2024
GHSA: GHSA-cq42-vhv7-xr7p
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-640

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	24.0.0

https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e
https://github.com/keycloak/keycloak/issues/29603
https://github.com/keycloak/keycloak/security/advisories/GHSA-cq42-vhv7-xr7p

Vulnerability Database

289,599

Keycloak Denial of Service via account lockout