Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2021-3754 PoC — Red Hat Keycloak 安全漏洞

Source
https://github.com/7Ragnarok7/CVE-2021-3754
Associated Vulnerability
Title:Red Hat Keycloak 安全漏洞 (CVE-2021-3754)
Description:A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
Description
Vulnerability details and exploit for CVE-2021-3754
Readme
# CVE-2021-3754
This repository documents Vulnerability details and exploit for CVE-2021-3754 discovered and reported by myself on 21st August 2021

## Metrics
- [CWE-20: Improper Input Validation](https://cwe.mitre.org/data/definitions/20.html)
- [CVSS: 5.3 (MEDIUM)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-3754&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1&source=NIST)

## Description
A flaw was found in Apache Keycloak & Redhat SSO where an attacker is able to register himself with the username same as the email ID of any existing user.  
This is caused by usernames being evaluated before emails.
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists.  

![login](img-src/login.png)

## Impact
The above behavior will cause trouble getting a password recovery email if the user forgets the password, thereby locking users out of their accounts temporarily.  

![forgot password](img-src/forgot_password.png)

## Mitigation (as suggested by Redhat)
The workaround is to enable the "Email as username" flag or disable "Login with email" in the login settings.
The official advisory by the Open Link plugin maintainer can be found at https://access.redhat.com/security/cve/cve-2021-3754.

![settings](img-src/settings.png)

## Proof of Concept/Exploit
Following is a proof of concept video that I initially reported to Redhat, which demonstrates the complete vulnerability along with exploitation steps [CLICK THE THUMBNAIL]:    

[![CVE-2021-3754 EXPLOIT / POC](img-src/1694080699.png)](https://youtu.be/5L27TiHcMPU)[<-- Click here]

## Notes
- Please note that the suggested by Redhat is temporary and the root issue of improper input validation has not been fixed by Redhat/Keycloak.
- Note that the mitigation suggested above by Redhat for keycloak has not been tested and verified by myself.
- Note that if you are using keycloak/Redhat SSO in any of your products/applications, you are still vulnerable. I have verified that Redhat SSO is still vulnerable to this issue till this date.
- If you are using keycloak and you have not configured the login screen settings properly, you might still be vulnerable.

## Important Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-3754
- https://www.cvedetails.com/cve/CVE-2021-3754/
- https://bugzilla.redhat.com/show_bug.cgi?id=1999196
- https://access.redhat.com/security/cve/CVE-2021-3754
- https://github.com/advisories/GHSA-j9xq-j329-2xvg
- https://vulners.com/cve/CVE-2021-3754
- https://www.tenable.com/cve/CVE-2021-3754
File Snapshot

 [4.0K]  /data/pocs/49b23e70689c425aa03c8ad29b4ab795a9f73c00
├── [4.0K]  img-src
│   ├── [ 17K]  1694080699.png
│   ├── [179K]  forgot_password.png
│   ├── [193K]  login.png
│   └── [240K]  settings.png
├── [1.0K]  LICENSE
└── [2.5K]  README.md

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →