Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
High severity
GitHub Reviewed
Published
Aug 27, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Description
Published by the National Vulnerability Database
Aug 26, 2022
Published to the GitHub Advisory Database
Aug 27, 2022
Reviewed
Sep 2, 2022
Last updated
Feb 3, 2023
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
References