CVE-2021-3754: Input Validation
First published: Mon Aug 30 2021(Updated: )
keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Keycloak | ||
| Redhat Single Sign-on | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-3754?
CVE-2021-3754 is a vulnerability found in Keycloak that allows an attacker to register themselves with the username same as the email ID of an existing user, causing issues with password recovery.
What is the severity of CVE-2021-3754?
The severity of CVE-2021-3754 is medium, with a CVSSv3 base score of 5.3.
What software is affected by CVE-2021-3754?
Redhat Keycloak and Redhat Single Sign-on version 7.0 are affected by CVE-2021-3754.
How can an attacker exploit CVE-2021-3754?
An attacker can exploit CVE-2021-3754 by registering themselves with the same username as the email ID of an existing user.
Are there any references for CVE-2021-3754?
Yes, you can find more information about CVE-2021-3754 at the following references: [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1999196) and [Red Hat Security](https://access.redhat.com/security/cve/CVE-2021-3754).
- collector/redhat-bugzilla
- alias/CVE-2021-3754
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/event
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat single sign-on
- version/redhat single sign-on/7.0