logo

Database

Insecure service configuration In org.keycloak:keycloak-services

Description

Keycloak's improper input validation allows using email as username Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-37542. NVD-2021-37543. OSV-2021-37544. GHSA-4vc8-pg5c-vg4x5. GHSA-j9xq-j329-2xvg6. GCVE-2021-37547. ACCESS-CVE-2021-3754

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-4vc8-pg5c-vg4x2. https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e3. https://bugzilla.redhat.com/show_bug.cgi?id=19991964. https://github.com/7Ragnarok7/CVE-2021-3754

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.