How severe is CVE-2024-7318?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.8 out of 10.

What type of vulnerability is CVE-2024-7318?

This is classified as CWE-324, which is a common weakness in software security.

CVE-2024-7318 - MEDIUM Severity | CVSS 4.8

Vulnerability Description

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

Related Vulnerabilities

CVE-2024-31893

MEDIUM

CVSS:4.3(Medium)

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive calendar information using an expired access token. IBM X-Force ID: 288174.

CWE-3242024

CVE-2024-31894

MEDIUM

CVSS:4.3(Medium)

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288175.

CWE-3242024

CVE-2019-3790

MEDIUM

CVSS:5.4(Medium)

The Pivotal Ops Manager, 2.2.x versions prior to 2.2.23, 2.3.x versions prior to 2.3.16, 2.4.x versions prior to 2.4.11, and 2.5.x versions prior to 2.5.3, contain configuration that circumvents refre...

CWE-3242019

CVE-2024-38277

MEDIUM

CVSS:5.4(Medium)

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

CWE-3242024

CVE-2024-6299

LOW

CVSS:3.7(Low)

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timest...

CWE-3242024

CVE-2024-31895

MEDIUM

CVSS:6.5(Medium)

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288176.

CWE-3242024