Description
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Remediation
References
https://access.redhat.com/security/cve/CVE-2021-3513
https://bugzilla.redhat.com/show_bug.cgi?id=1953439
Related Vulnerabilities
CVE-2021-22112 Vulnerability in maven package org.springframework.security:spring-security-core
CVE-2020-1912 Vulnerability in npm package hermes-engine
CVE-2017-17068 Vulnerability in maven package org.webjars.npm:auth0-js
CVE-2020-15096 Vulnerability in npm package electron
CVE-2018-6341 Vulnerability in maven package org.webjars.npm:svelte