Bug 1999196 (CVE-2021-3754)

Summary: CVE-2021-3754 keycloak: allows using email as username
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akoufoud, alazarot, anstephe, avibelli, bgeorges, boliveir, chazlett, cmoulliard, dkreling, emingora, ibek, ikanello, jochrist, jpallich, jrokos, jwon, kverlaen, lthon, mnovotny, pdrozd, peholase, pgallagh, pjindal, pskopek, rguimara, rruss, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1998585, 1999637    

Description Michael Kaplan 2021-08-30 17:08:03 UTC
keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.