First published: Mon Aug 30 2021(Updated: )
keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Keycloak | ||
Redhat Single Sign-on | =7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3754 is a vulnerability found in Keycloak that allows an attacker to register themselves with the username same as the email ID of an existing user, causing issues with password recovery.
The severity of CVE-2021-3754 is medium, with a CVSSv3 base score of 5.3.
Redhat Keycloak and Redhat Single Sign-on version 7.0 are affected by CVE-2021-3754.
An attacker can exploit CVE-2021-3754 by registering themselves with the same username as the email ID of an existing user.
Yes, you can find more information about CVE-2021-3754 at the following references: [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1999196) and [Red Hat Security](https://access.redhat.com/security/cve/CVE-2021-3754).