Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-3632

Summary
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
Published At-26 Aug, 2022 | 15:25
Updated At-03 Aug, 2024 | 17:01
Rejected At-
Credits

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:redhat
Assigner Org ID:53f830b8-0a3f-465b-8143-3b8a9948e749
Published At:26 Aug, 2022 | 15:25
Updated At:03 Aug, 2024 | 17:01
Rejected At:
▼CVE Numbering Authority (CNA)

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

Affected Products
Vendor
n/a
Product
keycloak
Versions
Affected
  • Fixed in v15.1.0
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287 - Improper Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287 - Improper Authentication
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://issues.redhat.com/browse/KEYCLOAK-18500
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=1978196
x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2021-3632
x_refsource_MISC
https://github.com/keycloak/keycloak/pull/8203
x_refsource_MISC
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
x_refsource_MISC
Hyperlink: https://issues.redhat.com/browse/KEYCLOAK-18500
Resource:
x_refsource_MISC
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1978196
Resource:
x_refsource_MISC
Hyperlink: https://access.redhat.com/security/cve/CVE-2021-3632
Resource:
x_refsource_MISC
Hyperlink: https://github.com/keycloak/keycloak/pull/8203
Resource:
x_refsource_MISC
Hyperlink: https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://issues.redhat.com/browse/KEYCLOAK-18500
x_refsource_MISC
x_transferred
https://bugzilla.redhat.com/show_bug.cgi?id=1978196
x_refsource_MISC
x_transferred
https://access.redhat.com/security/cve/CVE-2021-3632
x_refsource_MISC
x_transferred
https://github.com/keycloak/keycloak/pull/8203
x_refsource_MISC
x_transferred
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
x_refsource_MISC
x_transferred
Hyperlink: https://issues.redhat.com/browse/KEYCLOAK-18500
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1978196
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://access.redhat.com/security/cve/CVE-2021-3632
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/keycloak/keycloak/pull/8203
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert@redhat.com
Published At:26 Aug, 2022 | 16:15
Updated At:23 Nov, 2022 | 16:05

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches
Red Hat, Inc.
redhat
>>keycloak>>Versions before 15.1.0(exclusive)
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>single_sign-on>>7.0
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>single_sign-on>>Versions from 7.4(inclusive) to 7.4.9(exclusive)
cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>enterprise_linux>>6.0
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>enterprise_linux>>7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>enterprise_linux>>8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE-287Secondarysecalert@redhat.com
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-287
Type: Secondary
Source: secalert@redhat.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://access.redhat.com/security/cve/CVE-2021-3632secalert@redhat.com
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1978196secalert@redhat.com
Issue Tracking
Vendor Advisory
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4secalert@redhat.com
Patch
Third Party Advisory
https://github.com/keycloak/keycloak/pull/8203secalert@redhat.com
Issue Tracking
Patch
Third Party Advisory
https://issues.redhat.com/browse/KEYCLOAK-18500secalert@redhat.com
Permissions Required
Vendor Advisory
Hyperlink: https://access.redhat.com/security/cve/CVE-2021-3632
Source: secalert@redhat.com
Resource:
Vendor Advisory
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1978196
Source: secalert@redhat.com
Resource:
Issue Tracking
Vendor Advisory
Hyperlink: https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
Source: secalert@redhat.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/keycloak/keycloak/pull/8203
Source: secalert@redhat.com
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://issues.redhat.com/browse/KEYCLOAK-18500
Source: secalert@redhat.com
Resource:
Permissions Required
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

107Records found
CVE-2017-12196
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.72%
||
7 Day CHG~0.00%
Published-18 Apr, 2018 | 01:00
Updated-05 Aug, 2024 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

Action-Not Available
Vendor-unspecifiedRed Hat, Inc.
Product-jboss_enterprise_application_platformjboss_fusevirtualizationundertowundertow
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-40660
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.04% / 11.96%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 16:58
Updated-06 Nov, 2025 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Opensc: potential pin bypass when card tracks its own login state

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

Action-Not Available
Vendor-opensc_projectRed Hat, Inc.
Product-openscenterprise_linuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7
CWE ID-CWE-287
Improper Authentication
CVE-2022-0996
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.70%
||
7 Day CHG~0.00%
Published-23 Mar, 2022 | 19:46
Updated-03 Nov, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.

Action-Not Available
Vendor-n/aFedora ProjectRed Hat, Inc.
Product-389_directory_serverfedoraenterprise_linux389-ds-base
CWE ID-CWE-287
Improper Authentication
CVE-2022-0492
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-6.52% / 90.90%
||
7 Day CHG~0.00%
Published-03 Mar, 2022 | 00:00
Updated-02 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

Action-Not Available
Vendor-n/aFedora ProjectCanonical Ltd.Red Hat, Inc.Linux Kernel Organization, IncNetApp, Inc.Debian GNU/Linux
Product-ubuntu_linuxh300ecodeready_linux_builder_for_power_little_endianenterprise_linux_server_update_services_for_sap_solutionsh500senterprise_linux_server_aussolidfire_\&_hci_management_nodeenterprise_linuxvirtualization_hosth410senterprise_linux_for_real_time_tush300shci_compute_nodecodeready_linux_builderdebian_linuxlinux_kernelenterprise_linux_for_ibm_z_systems_eush500eenterprise_linux_for_real_time_for_nfv_tusfedoraenterprise_linux_for_ibm_z_systemsenterprise_linux_eusenterprise_linux_for_power_little_endian_eusenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsh700esolidfire\,_enterprise_sds_\&_hci_storage_nodeenterprise_linux_server_tush410centerprise_linux_for_power_little_endianh700skernel
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-862
Missing Authorization
CVE-2023-36004
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-7.5||HIGH
EPSS-0.18% / 39.04%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 18:10
Updated-01 Jan, 2025 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability

Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_21h2windows_10_1809windows_server_2016windows_server_2012windows_server_2008windows_10_1507windows_11_21h2windows_10_22h2windows_server_2022windows_11_22h2windows_server_2019windows_10_1607windows_11_23h2Windows Server 2022Windows 10 Version 1607Windows 11 version 22H3Windows 11 version 22H2Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1809Windows Server 2016 (Server Core installation)Windows 11 version 21H2Windows Server 2012 (Server Core installation)Windows Server 2016Windows 10 Version 1507Windows 10 Version 21H2Windows Server 2008 R2 Service Pack 1Windows 11 Version 23H2Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2012 R2Windows Server 2019Windows Server 2012Windows Server 2008 Service Pack 2Windows Server 2012 R2 (Server Core installation)Windows 10 Version 22H2
CWE ID-CWE-287
Improper Authentication
CVE-2020-7856
Matching Score-4
Assigner-KrCERT/CC
ShareView Details
Matching Score-4
Assigner-KrCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.81% / 73.84%
||
7 Day CHG~0.00%
Published-20 Apr, 2021 | 12:02
Updated-04 Aug, 2024 | 09:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.

Action-Not Available
Vendor-cnestyCnesty
Product-helpcomHelpcom
CWE ID-CWE-287
Improper Authentication
CVE-2020-26236
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.33% / 55.58%
||
7 Day CHG~0.00%
Published-20 Nov, 2020 | 17:55
Updated-04 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Verification Code Hijacking in ScratchVerifier

In ScratchVerifier before commit a603769, an attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins. A possible exploitation would follow these steps: 1. User starts login process. 2. Attacker attempts login for user, and is given the same verification code. 3. User comments code as part of their normal login. 4. Before user can, attacker completes the login process now that the code is commented. 5. User gets a failed login and attacker now has control of the account. Since commit a603769 starting a login twice will generate different verification codes, causing both user and attacker login to fail. For clients that rely on a clone of ScratchVerifier not hosted by the developers, their users may attempt to finish the login process as soon as possible after commenting the code. There is no reliable way for the attacker to know before the user can finish the process that the user has commented the code, so this vulnerability only really affects those who comment the code and then take several seconds before finishing the login.

Action-Not Available
Vendor-scratchverifierScratchVerifier
Product-scratchverifierScratchVerifier
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found