Description
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Remediation
References
https://access.redhat.com/security/cve/CVE-2021-3513
https://bugzilla.redhat.com/show_bug.cgi?id=1953439
Related Vulnerabilities
CVE-2023-29019 Vulnerability in npm package @fastify/passport
CVE-2014-1972 Vulnerability in maven package org.apache.tapestry:tapestry-core
CVE-2016-2402 Vulnerability in maven package com.squareup.okhttp3:okhttp
CVE-2020-2182 Vulnerability in maven package org.jenkins-ci.plugins:credentials-binding
CVE-2016-0779 Vulnerability in maven package org.apache.tomee:arquillian-tomee-embedded