CVE-2020-1744 Information

Description

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference

https://access.redhat.com/security/cve/CVE-2020-1744 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

5.6