CVE-2024-7318

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A vulnerability was found in Keycloak where expired OTP codes are still usable when using FreeOTP with the default OTP token period of 30 seconds. Instead of expiring after 30 seconds, the tokens remain valid for an additional 30 seconds, totaling 1 minute. This increases the attack window for malicious actors to abuse the system and compromise accounts, as well as the attack surface, since two OTPs are valid at any given time.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.