A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Keycloak | Redhat | * | 15.1.0 (excluding) |
Single_sign-on | Redhat | 7.0 (including) | 7.0 (including) |