Description
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Remediation
References
https://access.redhat.com/security/cve/CVE-2021-3513
https://bugzilla.redhat.com/show_bug.cgi?id=1953439
Related Vulnerabilities
CVE-2020-2135 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2021-32050 Vulnerability in maven package org.webjars.npm:mongodb
CVE-2023-48222 Vulnerability in maven package org.rundeck:rundeck
CVE-2022-24858 Vulnerability in npm package next-auth
CVE-2017-5644 Vulnerability in maven package org.apache.poi:poi