CVE-2021-3424

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.

Published: Jun 1, 2021
Updated: May 9, 2024
CVE: CVE-2021-3424
GHSA: GHSA-pf38-cw3p-22q9
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
redhat / single_sign-on	7.4	7.4.x
org.keycloak / keycloak-services	-	18.0.0

https://bugzilla.redhat.com/show_bug.cgi?id=1933320

Vulnerability Database

289,599

CVE-2021-3424