CVE-2021-3827
First published: Thu Sep 02 2021(Updated: )
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/keycloak-server-spi-private | <18.0.0 | 18.0.0 |
| redhat/rh-sso7-keycloak | <0:15.0.4-1.redhat_00001.1.el7 | 0:15.0.4-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:15.0.4-1.redhat_00001.1.el8 | 0:15.0.4-1.redhat_00001.1.el8 |
| redhat/redhat-sso | <7-sso75-openshift-rhel8 | 7-sso75-openshift-rhel8 |
| Redhat Keycloak | <18.0.0 | |
| Redhat Single Sign-on | =7.0 | |
| Redhat Single Sign-on | =7.5.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Openshift Container Platform | =4.8 | |
| Redhat Openshift Container Platform | =4.9 | |
| Redhat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2021-3827
- https://bugzilla.redhat.com/show_bug.cgi?id=2007512
- https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d
- https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v
- https://issues.redhat.com/browse/KEYCLOAK-19177
- https://access.redhat.com/errata/RHSA-2022:0152
- https://access.redhat.com/errata/RHSA-2022:0151
- https://access.redhat.com/errata/RHSA-2022:0155
- https://access.redhat.com/security/cve/cve-2021-3827
- https://access.redhat.com/errata/RHSA-2022:0164
- https://www.cve.org/CVERecord?id=CVE-2021-3827 https://nvd.nist.gov/vuln/detail/CVE-2021-3827 https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-3827?
CVE-2021-3827 is a vulnerability found in Keycloak that allows other authentication flows to be bypassed, potentially enabling an attacker to bypass MFA authentication.
How does CVE-2021-3827 work?
CVE-2021-3827 works by exploiting the default ECP binding flow in Keycloak, allowing an attacker to bypass MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header containing the user's credentials.
What is the severity of CVE-2021-3827?
CVE-2021-3827 has a severity rating of 6.8 (medium).
Which software versions are affected by CVE-2021-3827?
Keycloak versions up to and excluding 18.0.0, rh-sso7-keycloak versions 0:15.0.4-1.redhat_00001.1.el7 and 0:15.0.4-1.redhat_00001.1.el8, and redhat-sso version 7-sso75-openshift-rhel8 are affected by CVE-2021-3827.
How can I mitigate CVE-2021-3827?
To mitigate CVE-2021-3827, update your Keycloak and related software to versions that include the necessary fixes. Refer to the provided remediation links for more information.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3827
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat single sign-on
- version/redhat single sign-on/7.0
- version/redhat single sign-on/7.5.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.8
- version/redhat openshift container platform/4.9
- package-manager/redhat