Description
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
Remediation
References
https://access.redhat.com/security/cve/CVE-2021-3632
https://bugzilla.redhat.com/show_bug.cgi?id=1978196
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4
https://github.com/keycloak/keycloak/pull/8203
https://issues.redhat.com/browse/KEYCLOAK-18500
Related Vulnerabilities
CVE-2023-24163 Vulnerability in maven package cn.hutool:hutool-all
CVE-2022-37616 Vulnerability in maven package org.webjars.npm:xmldom
CVE-2011-2481 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2022-34193 Vulnerability in maven package org.lilicurroad.jenkins:packageversion
CVE-2019-10347 Vulnerability in maven package javagh.jenkins:mashup-portlets-plugin