CVE-2021-3827

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw was found in Keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials, specifically the username and password. The highest threat from this issue is to confidentiality and integrity.

Recommendations At the moment, there is no information about a newer version that contains a fix for this issue.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

BDU:2024-02260

CVE-2021-3827

GHSA-4PC7-VQV5-5R3V

RHSA-2022:0151

RHSA-2022:0152

Affected Products

Keycloak

CVE-2021-3827

Weakness Enumeration

Related Identifiers

Affected Products

References · 11