Description
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Remediation
References
https://access.redhat.com/security/cve/CVE-2021-3513
https://bugzilla.redhat.com/show_bug.cgi?id=1953439
Related Vulnerabilities
CVE-2011-4367 Vulnerability in maven package org.apache.myfaces.core:myfaces-core-project
CVE-2019-1003035 Vulnerability in maven package org.jenkins-ci.plugins:azure-vm-agents
CVE-2016-8747 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2022-3782 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2011-2731 Vulnerability in maven package org.springframework.security:spring-security-core