Miggo Logo
Miggo Vulnerability Database
CVE-2021-3632

CVE-2021-3632: Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3632
GHSA ID
GHSA-qpq9-jpv4-6gwr
EPSS Score
0.34212%
CWE
CWE-287
Published
8/27/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-coremaven< 15.1.015.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises because the WebAuthnPasswordlessAuthenticatorFactory in Keycloak versions <15.1.0 did not override the isUserSetupAllowed method inherited from its parent class (likely WebAuthnAuthenticatorFactory). This parent method allowed user setup (device registration) during authentication by default. Attackers exploited this by triggering the passwordless login flow for users without registered devices, forcing the registration of a new device and hijacking the account. The fix explicitly overrides isUserSetupAllowed in WebAuthnPasswordlessAuthenticatorFactory to return false, blocking this vector. The vulnerable function is the parent class's isUserSetupAllowed, which remained active in the absence of the override.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in K*y*lo*k. T*is vuln*r**ility *llows *nyon* to r**ist*r * n*w s**urity **vi** or k*y w**n t**r* is not * **vi** *lr***y r**ist*r** *or *ny us*r *y usin* t** W***ut*n p*sswor*-l*ss lo*in *low.

Reasoning

T** vuln*r**ility *ris*s ****us* t** `W***ut*nP*sswor*l*ss*ut**nti**tor***tory` in K*y*lo*k v*rsions <**.*.* *i* not ov*rri** t** `isUs*rS*tup*llow**` m*t*o* in**rit** *rom its p*r*nt *l*ss (lik*ly `W***ut*n*ut**nti**tor***tory`). T*is p*r*nt m*t*o*