Miggo Logo
Miggo Vulnerability Database
CVE-2021-3513

CVE-2021-3513: Incorrect implementation of lockout feature in Keycloak

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3513
GHSA ID
GHSA-xv7h-95r7-595j
EPSS Score
0.42463%
CWE
CWE-209
Published
8/23/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-parentmaven< 13.0.013.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) Error messages revealed whether an account was locked vs having invalid credentials (CWE-209), and 2) Authentication flow allowed password validation before checking lock status (CWE-522). The GitHub PR #7976 shows these were fixed by a) making error messages generic for locked accounts regardless of password validity, and b) adding early account status checks. The identified functions are core authentication handlers where these flawed checks would logically occur based on Keycloak's architecture and the patch's focus on user status validation and error message unification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in k*y*lo*k w**r* * *rut* *or** *tt**k is possi*l* *v*n w**n t** p*rm*n*nt lo*kout ***tur* is *n**l**. T*is is *u* to * wron* *rror m*ss*** *ispl*y** w**n wron* *r***nti*ls *r* *nt*r**. T** *i***st t*r**t *rom t*is vuln*r**ility is t

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) *rror m*ss***s r*v**l** w**t**r *n ***ount w*s lo*k** vs **vin* inv*li* *r***nti*ls (*W*-***), *n* *) *ut**nti**tion *low *llow** p*sswor* v*li**tion ***or* ****kin* lo*k st*tus (*W*-***). T** *it*u* PR