Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-xmmm-jw76-q7vg] One Time Passcode (OTP) is valid longer than expiration timeSeverity #5108

Merged
merged 1 commit into from
Dec 20, 2024
Merged

[GHSA-xmmm-jw76-q7vg] One Time Passcode (OTP) is valid longer than expiration timeSeverity #5108

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions advisories/github-reviewed/2024/10/GHSA-xmmm-jw76-q7vg/GHSA-xmmm-jw76-q7vg.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
"id": "GHSA-xmmm-jw76-q7vg",
"modified": "2024-10-14T20:56:43Z",
"published": "2024-10-14T20:56:43Z",
"aliases": [],
"aliases": [
"CVE-2024-7318"
],
"summary": "One Time Passcode (OTP) is valid longer than expiration timeSeverity",
"details": "A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.",
"severity": [
Expand Down Expand Up @@ -71,4 +73,4 @@
"github_reviewed_at": "2024-10-14T20:56:43Z",
"nvd_published_at": null
}
}
}
Loading