Описание
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
Меры по смягчению последствий
The workaround is to enable "Email as username" flag or disable "Login with email" in the login settings
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | keycloak | Not affected | ||
| Red Hat OpenShift Application Runtimes | keycloak | Not affected | ||
| Red Hat Process Automation 7 | keycloak | Not affected | ||
| Red Hat Single Sign-On 7 | rh-sso7-keycloak | Not affected | ||
| Red Hat support for Spring Boot | keycloak | Not affected |
Показывать по
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
A flaw was found in keycloak where an attacker is able to register him ...
Keycloak's improper input validation allows using email as username
3.7 Low
CVSS3