Skip to content

Keycloak's improper input validation allows using email as username

Low severity GitHub Reviewed Published Jun 12, 2024 in keycloak/keycloak • Updated Jun 12, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 24.0.1

Patched versions

24.0.1

Description

Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.

References

@abstractj abstractj published to keycloak/keycloak Jun 12, 2024
Published to the GitHub Advisory Database Jun 12, 2024
Reviewed Jun 12, 2024
Last updated Jun 12, 2024

Severity

Low
3.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-4vc8-pg5c-vg4x

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.