CVE-2021-3513
22.08.2022, 15:15
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.Enginsight
| Vendor | Product | Version |
|---|---|---|
| redhat | keycloak | 𝑥 < 13.0.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-522 - Insufficiently Protected CredentialsThe product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
- CWE-209 - Generation of Error Message Containing Sensitive InformationThe software generates an error message that includes sensitive information about its environment, users, or associated data.