Keycloak Denial of Service via account lockout

2024-06-1219:42:21

Google

osv.dev

keycloak

denial of service

email format

7.1 High

AI Score

Confidence

Low

JSON

In any realm set with “User (Self) registration” a user that is registered with a username in email format can be “locked out” (denied from logging in) using his username.

CPENameOperatorVersion
org.keycloak:keycloak-serviceseq1.8.0.CR3
org.keycloak:keycloak-serviceseq1.6.0.Final
org.keycloak:keycloak-serviceseq11.0.2
org.keycloak:keycloak-serviceseq1.0.1.Final
org.keycloak:keycloak-serviceseq3.2.1.Final
org.keycloak:keycloak-serviceseq4.8.1.Final
org.keycloak:keycloak-serviceseq15.1.0
org.keycloak:keycloak-serviceseq3.4.0.Final
org.keycloak:keycloak-serviceseq20.0.4
org.keycloak:keycloak-serviceseq8.0.2

Name	Operator	Version
org.keycloak:keycloak-services	eq	1.8.0.CR3
org.keycloak:keycloak-services	eq	1.6.0.Final
org.keycloak:keycloak-services	eq	11.0.2
org.keycloak:keycloak-services	eq	1.0.1.Final
org.keycloak:keycloak-services	eq	3.2.1.Final
org.keycloak:keycloak-services	eq	4.8.1.Final
org.keycloak:keycloak-services	eq	15.1.0
org.keycloak:keycloak-services	eq	3.4.0.Final
org.keycloak:keycloak-services	eq	20.0.4
org.keycloak:keycloak-services	eq	8.0.2

Rows per page:

1-10 of 1681

References

github.com/keycloak/keycloak

github.com/keycloak/keycloak/commit/f9708037383aa98741e4850447de64dc4a0d4b4e

github.com/keycloak/keycloak/issues/29603

github.com/keycloak/keycloak/security/advisories/GHSA-cq42-vhv7-xr7p

7.1 High

AI Score

Confidence

Low

JSON