Miggo Logo
Miggo Vulnerability Database
CVE-2021-3754

CVE-2021-3754: Keycloak's improper input validation allows using email as username

3.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3754
GHSA ID
GHSA-4vc8-pg5c-vg4x
EPSS Score
0.89136%
CWE
CWE-670
Published
6/12/2024
Updated
12/20/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-servicesmaven< 24.0.124.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from:

  1. UsersResource.createUser's original implementation (removed in patch) only checked username/email existence in isolation without cross-validation between fields
  2. Validators lacked bidirectional checks between username and email fields
  3. The CWE-670 (incorrect control flow) manifests in username validation occurring before email checks, allowing email-as-username registration before email uniqueness verification
  4. Patch adds cross-checks in validators and removes redundant checks from UsersResource, confirming these were the missing protections

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

K*y*lo*k *llows t** us* o* *m*il *s * us*rn*m* *n* *o*sn't ****k t**t *n ***ount wit* t*is *m*il *lr***y *xists. T**t *oul* l*** to t** un**ility to r*s*t/lo*in wit* *m*il *or t** us*r. T*is is **us** *y us*rn*m*s **in* *v*lu*t** ***or* *m*ils.

Reasoning

T** vuln*r**ility st*mm** *rom: *. Us*rsR*sour**.*r**t*Us*r's ori*in*l impl*m*nt*tion (r*mov** in p*t**) only ****k** us*rn*m*/*m*il *xist*n** in isol*tion wit*out *ross-v*li**tion **tw**n *i*l*s *. V*li**tors l**k** *i*ir**tion*l ****ks **tw**n us*