Vulnerability Details : CVE-2021-3513

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

Published 2022-08-22 15:15:13

Updated 2022-08-23 18:35:49

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-3513

Probability of exploitation activity in the next 30 days: 0.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 50 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3513

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-3513

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Assigned by: nvd@nist.gov (Primary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2021-3513

https://access.redhat.com/security/cve/CVE-2021-3513

CVE-2021-3513- Red Hat Customer Portal
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1953439

1953439 – (CVE-2021-3513) CVE-2021-3513 keycloak: Brute force attack is possible even after the account lockout
Issue Tracking;Vendor Advisory

Products affected by CVE-2021-3513

Redhat » Keycloak
Versions before (<) 13.0.0
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Matching versions