CVE-2020-1744

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 9.0.1

Description A flaw was found in Keycloak when configuring a Conditional OTP Authentication Flow as a post login flow of an IDP. The failure login events for OTP are not being sent to the brute force protection event queue, resulting in the BruteForceProtector not handling these events. This could allow a remote attacker to gain unauthorized access to protected information due to errors in the Conditional OTP Authentication Flow configuration.

Recommendations For versions prior to 9.0.1, update to version 9.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the Conditional OTP Authentication Flow until a patch is available. Restrict access to the IDP post login flow to minimize the risk of exploitation. Avoid using the OTP authentication mechanism in the affected flow until the issue is resolved.