Login Sign Up

CVE-2024-42163

8.3 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in FIWARE Keyrock allows attackers to predict password reset tokens due to insufficient randomness. Attackers can take over any user account by generating valid password reset links. All users of FIWARE Keyrock version 8.4 and earlier are affected.

💻 Affected Systems

Products:
  • FIWARE Keyrock
Versions: <= 8.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using the default password reset functionality are vulnerable.

📦 What is this software?

Keyrock by Fiware

View all CVEs affecting Keyrock →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all users, including administrators, leading to full system compromise and data breach.

🟠

Likely Case

Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive data and privilege escalation.

🟢

If Mitigated

Limited impact with proper monitoring and multi-factor authentication in place, though account compromise remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires only the ability to predict or brute-force password reset tokens.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5 or later

Vendor Advisory: https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories

Restart Required: Yes

Instructions:

1. Backup your current Keyrock installation. 2. Upgrade to FIWARE Keyrock version 8.5 or later. 3. Restart the Keyrock service. 4. Verify the fix by testing password reset functionality.

🔧 Temporary Workarounds

Disable Password Reset

all

Temporarily disable the password reset functionality until patching is complete.

Modify Keyrock configuration to disable password reset endpoints

Implement Rate Limiting

all

Add rate limiting to password reset endpoints to prevent brute-force attacks.

Configure web server or application firewall to limit requests to /password/reset endpoints

🧯 If You Can't Patch

  • Implement multi-factor authentication for all user accounts
  • Monitor logs for unusual password reset activity and failed attempts

🔍 How to Verify

Check if Vulnerable:

Check if running FIWARE Keyrock version 8.4 or earlier. Review password reset token generation code for insufficient randomness.

Check Version:

Check Keyrock configuration files or admin interface for version information

Verify Fix Applied:

After upgrading to version 8.5+, test password reset functionality and verify tokens are cryptographically random.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed password reset attempts from single IP
  • Successful password resets for multiple accounts from same source
  • Unusual pattern of password reset requests

Network Indicators:

  • High volume of requests to password reset endpoints
  • Requests to /password/reset with predictable token patterns

SIEM Query:

source="keyrock.log" AND ("password reset" OR "/password/reset") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-42163
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-326
Published: August 12, 2024
Last Updated: August 29, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42163, you might also want to check these:

CVE-2021-42216 9.8

CVE-2021-42216 is a critical cryptographic vulnerability in AnonAddy email forwarding service that a...

Same vulnerability type (CWE-326)
CVE-2025-7398 9.1

Brocade ASCG versions before 3.3.0 use medium-strength cryptography algorithms on internal ports 900...

Same vulnerability type (CWE-326)
CVE-2023-27987 9.1

Apache Linkis versions up to 1.3.1 use a default authentication token that is too simple and predict...

Same vulnerability type (CWE-326)