GHSA-cq42-vhv7-xr7p: Keycloak Denial of Service via account lockout

June 12, 2024

In any realm set with “User (Self) registration” a user that is registered with a username in email format can be “locked out” (denied from logging in) using his username.

References

github.com/advisories/GHSA-cq42-vhv7-xr7p
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e
github.com/keycloak/keycloak/issues/29603
github.com/keycloak/keycloak/security/advisories/GHSA-cq42-vhv7-xr7p

Code Behaviors & Features

Detect and mitigate GHSA-cq42-vhv7-xr7p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →