CVE Vulnerability

CVE-2021-3632

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/keycloak/keycloak/pull/8203 Issue Tracking Patch
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4 Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1978196 Issue Tracking Vendor Advisory
https://access.redhat.com/security/cve/CVE-2021-3632 Vendor Advisory
https://issues.redhat.com/browse/KEYCLOAK-18500 Permissions Required Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Information

Published : 2022-08-26 04:15

Updated : 2022-11-23 04:05

NVD link : CVE-2021-3632

Mitre link : CVE-2021-3632

Products Affected

Redhat

Single Sign-on

CWE
CWE-287