A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Keycloak | Redhat | * | 15.1.0 (excluding) |
| Single_sign-on | Redhat | 7.0 (including) | 7.0 (including) |
| Red Hat Single Sign-On 7.4.9 | RedHat | * | |
| Red Hat Single Sign-On 7.4 for RHEL 6 | RedHat | rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el6sso | * |
| Red Hat Single Sign-On 7.4 for RHEL 7 | RedHat | rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el7sso | * |
| Red Hat Single Sign-On 7.4 for RHEL 8 | RedHat | rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el8sso | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://access.redhat.com/security/cve/CVE-2021-3632
- https://bugzilla.redhat.com/show_bug.cgi?id=1978196
- https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
- https://github.com/keycloak/keycloak/pull/8203
- https://issues.redhat.com/browse/KEYCLOAK-18500
- https://access.redhat.com/security/cve/CVE-2021-3632
- https://bugzilla.redhat.com/show_bug.cgi?id=1978196
- https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
- https://github.com/keycloak/keycloak/pull/8203
- https://issues.redhat.com/browse/KEYCLOAK-18500