CVE-2021-3754 — Improper Input Validation in Redhat Keycloak

CWE-20 — Improper Input Validation CWE-670 — Always-Incorrect Control Flow Implementation5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

12.3%

top 6.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Redhat Single Sign-on

Timeline

PublishedAug 26

Latest updateJun 12

Description

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5redhat/keycloakNot-Known

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

OSV

Keycloak's improper input validation allows using email as username↗2024-06-12

▶

GHSA

Keycloak's improper input validation allows using email as username↗2024-06-12

▶

CVEList

CVE-2021-3754: A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user↗2022-08-26

▶

📋Vendor Advisories

Red Hat

keycloak: allows using email as username↗2022-05-30

▶