VDB
CVE-2021-3632
CVE-2021-3632
PUBLISHED
CVSS 7.5 HIGH
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
EPSS 0.50% · 66.5th percentile
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
0.50%
66.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| redhat | single_sign-on | 7.0, 7.4 |
| redhat | keycloak | 0 |
| Maven | org.keycloak:keycloak-core | 0 |
| n/a | keycloak | * |
Exploit Intelligence
- CIRCL seen: CVE-2021-3632 (circl-sighting)
- https://issues.redhat.com/browse/KEYCLOAK-18500 (circl)
- https://bugzilla.redhat.com/show_bug.cgi?id=1978196 (circl)
- https://access.redhat.com/security/cve/CVE-2021-3632 (circl)
- https://github.com/keycloak/keycloak/pull/8203 (circl)
- https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4 (circl)
Timeline
- Aug 26, 2022 CVE Published
- Aug 27, 2022 EPSS Score
- Oct 12, 2022 EPSS Score
- Nov 23, 2022 CVE Updated
- Nov 26, 2022 EPSS Score
- Jan 11, 2023 EPSS Score
- Feb 25, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 12, 2023 EPSS Score
- May 28, 2023 EPSS Score
- Jul 12, 2023 EPSS Score
- Aug 27, 2023 EPSS Score
References
- https://issues.redhat.com/browse/KEYCLOAK-18500 url
- https://bugzilla.redhat.com/show_bug.cgi?id=1978196 url
- https://access.redhat.com/security/cve/CVE-2021-3632 url
- https://github.com/keycloak/keycloak/pull/8203 url
- https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4 url
- https://nvd.nist.gov/vuln/detail/CVE-2021-3632 advisory
- https://github.com/keycloak/keycloak package