7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-3632

GHSA ID

GHSA-qpq9-jpv4-6gwr

EPSS Score

0.34212%

CWE

CWE-287

Published

8/27/2022

Updated

2/3/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3632

CVE-2021-3632: Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-3632

CVE-2021-3632:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-3632

GHSA ID

GHSA-qpq9-jpv4-6gwr

EPSS Score

0.34212%

CWE

CWE-287

Published

8/27/2022

Updated

2/3/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.keycloak:keycloak-core	maven	< 15.1.0	15.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises because the WebAuthnPasswordlessAuthenticatorFactory in Keycloak versions <15.1.0 did not override the isUserSetupAllowed method inherited from its parent class (likely WebAuthnAuthenticatorFactory). This parent method allowed user setup (device registration) during authentication by default. Attackers exploited this by triggering the passwordless login flow for users without registered devices, forcing the registration of a new device and hijacking the account. The fix explicitly overrides isUserSetupAllowed in WebAuthnPasswordlessAuthenticatorFactory to return false, blocking this vector. The vulnerable function is the parent class's isUserSetupAllowed, which remained active in the absence of the override.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-3632: Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow

CVE-2021-3632:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.5

7.5

Basic Information

Basic Information

CVE-2021-3632: Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI