Description
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
Remediation
References
https://access.redhat.com/security/cve/CVE-2021-3513
https://bugzilla.redhat.com/show_bug.cgi?id=1953439
Related Vulnerabilities
CVE-2015-5323 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-26136 Vulnerability in maven package org.webjars.npm:tough-cookie
CVE-2020-13943 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2017-12648 Vulnerability in maven package com.liferay:com.liferay.frontend.taglib
CVE-2017-18353 Vulnerability in npm package rendertron-middleware