/
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-7318

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-7318

CGA ID

CGA-g934-3xgg-h5q9

Severity

4.8

Medium

CVSS V3

Summary

Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity

Description

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

References

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation