Even though Permanent Lockout is a feature of Brute Force Detection, it doesn't protect the account from exposing his/hers credentials. Once the account is locked, the malicious actor can keep trying to login and will get informed the account is disabled once the password is correct. https://issues.redhat.com/browse/KEYCLOAK-17835
Acknowledgments: Name: Michał Knapik & Peter Nicholson (u2i)
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2021:3528 https://access.redhat.com/errata/RHSA-2021:3528
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2021:3529 https://access.redhat.com/errata/RHSA-2021:3529
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2021:3527 https://access.redhat.com/errata/RHSA-2021:3527
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.9 Via RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3513