CVE-2021-3513Insufficiently Protected Credentials in Redhat Keycloak

CWE-522Insufficiently Protected CredentialsCWE-209Information Exposure via Error Message5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 57.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Keycloak
Timeline
PublishedAug 22
Latest updateAug 23

Description

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDredhat/keycloak< 13.0.0
CVEListV5redhat/keycloakFixed in keycloak v13.0.0.

🔴Vulnerability Details

3
OSV
Incorrect implementation of lockout feature in Keycloak2022-08-23
GHSA
Incorrect implementation of lockout feature in Keycloak2022-08-23
CVEList
CVE-2021-3513: A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled2022-08-22

📋Vendor Advisories

1
Red Hat
keycloak: Brute force attack is possible even after the account lockout2021-04-26