CVE-2021-3827 log

Severity High
Remote Yes
Type Authentication bypass
A security issue was found in keycloak version 15 where because of the default ECP binding flow, any other authentication flow can be bypassed. By exploiting this behavior, an attacker would be able to bypass the MFA authentication by sending a SOAP request with AuthnRequest and Authorization header with the user credentials.
Group Package Affected Fixed Severity Status Ticket
AVG-1332 keycloak 15.0.2-1 16.0.0-1 High Fixed
backported to 17.0.1-3