7.5
CVE-2021-3632
- EPSS 0.91%
- Veröffentlicht 26.08.2022 16:15:09
- Zuletzt bearbeitet 21.11.2024 06:22:01
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Single Sign-on Version7.0
Redhat ≫ Single Sign-on Version >= 7.4 < 7.4.9
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.91% | 0.555 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://access.redhat.com/security/cve/CVE-2021-3632
https://bugzilla.redhat.com/show_bug.cgi?id=1978196
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
https://github.com/keycloak/keycloak/pull/8203
https://issues.redhat.com/browse/KEYCLOAK-18500