CVE-2021-3754

MEDIUM

Keycloak - Info Disclosure

Title source: llm

Description

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

Exploits (1)

nomisec WRITEUP 1 stars

by 7Ragnarok7 · poc

https://github.com/7Ragnarok7/CVE-2021-3754

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2021-3754

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1999196

Scores

CVSS v3 5.3

EPSS 0.1232

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-20

Status published

Products (3)

org.keycloak/keycloak-services 0 - 24.0.1Maven

redhat/keycloak

redhat/single_sign-on 7.0

Published Aug 26, 2022

Tracked Since Feb 18, 2026