Potential Keycloak Vulnerability in DevTest: CVE-2021-3632

search cancel

Potential Keycloak Vulnerability in DevTest: CVE-2021-3632

book

Article ID: 219670

calendar_today

Updated On:

Products

Service Virtualization CA Application Test

Issue/Introduction

Vulnerability Finding Name: Red Hat Keycloak WebAuthn Passwordless Login Unauthorized Remote Device Registration

Discussion: Red Hat Keycloak WebAuthn Passwordless Login Unauthorized Remote Device Registration . Red Hat Keycloak contains a flaw in the passwordless login feature when using WebAuthn and no device is registered. This may allow a remote attacker to register a new security device.

CVSS Score: 5.1

Severity: Medium
CVE-ID: CVE-2021-3632
Product: Red Hat [Keycloak (13.0.1)], Red Hat [Red Hat Single Sign-On (7.4.7)]

Environment

Devtest 10.6

Component : CA Service Virtualization

Cause

Vulnerability

Resolution

A flaw was found in keycloak version 13.0.1 were it possible for anyone to register a new security device/key when there is no device already registered for any user using WebAuthn password-less login flow.

Since DevTest does not use password-less login DevTest is not affected.

Feedback

thumb_up Yes

thumb_down No