Описание
Keycloak's improper input validation allows using email as username
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.
Ссылки
- https://github.com/keycloak/keycloak/security/advisories/GHSA-4vc8-pg5c-vg4x
- https://nvd.nist.gov/vuln/detail/CVE-2021-3754
- https://github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e
- https://access.redhat.com/security/cve/CVE-2021-3754
- https://bugzilla.redhat.com/show_bug.cgi?id=1999196
Пакеты
org.keycloak:keycloak-services
< 24.0.1
24.0.1
Связанные уязвимости
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
A flaw was found in keycloak where an attacker is able to register him ...