Vulnerability Details : CVE-2021-3827

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.

Vulnerability category: BypassGain privilege

Published 2022-08-23 16:15:10

Updated 2022-11-30 18:46:56

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-3827

Probability of exploitation activity in the next 30 days: 0.11%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 44 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3827

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N	1.6	5.2	nvd@nist.gov
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2021-3827

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2021-3827

https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v

ECP SAML binding bypasses authentication flows · Advisory · keycloak/keycloak · GitHub
Third Party Advisory
https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d

KEYCLOAK-19177 Disable ECP flow by default for all Saml clients; ecp … · keycloak/keycloak@44000ca · GitHub
Patch;Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-3827

CVE-2021-3827- Red Hat Customer Portal
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2007512

2007512 – (CVE-2021-3827) CVE-2021-3827 keycloak-server-spi-private: ECP SAML binding bypasses authentication flows
Issue Tracking;Vendor Advisory

Products affected by CVE-2021-3827

Redhat » Keycloak
Versions before (<) 18.0.0
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 4.8
cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform » Version: 4.9
cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Single Sign-on » Version: 7.0
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Single Sign-on » Version: 7.5.0
cpe:2.3:a:redhat:single_sign-on:7.5.0:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0