rh-sso7-keycloak is using insecure login. The vulnerability exists because it allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html/release_notes/index
access.redhat.com/errata/RHSA-2021:3529
access.redhat.com/security/cve/CVE-2021-3632
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1978196
github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
github.com/keycloak/keycloak/pull/8203
issues.redhat.com/browse/KEYCLOAK-18500