Incorrect implementation of lockout feature in Keycloak

GHSA-xv7h-95r7-595j · CVE-2021-3513

Published Aug 23, 2022 · Modified Nov 8, 2023

Description

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-3513
WEB https://github.com/keycloak/keycloak/pull/7976
WEB https://access.redhat.com/security/cve/CVE-2021-3513
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1953439
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes