CVE-2021-3827 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Authentication bypass
Description	A security issue was found in keycloak version 15 where because of the default ECP binding flow, any other authentication flow can be bypassed. By exploiting this behavior, an attacker would be able to bypass the MFA authentication by sending a SOAP request with AuthnRequest and Authorization header with the user credentials.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1332	keycloak	15.0.2-1	16.0.0-1	High	Fixed

References
https://bugzilla.redhat.com/show_bug.cgi?id=2007512 https://issues.redhat.com/browse/KEYCLOAK-19177 https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d

Notes
backported to 17.0.1-3 https://github.com/archlinux/svntogit-community/commit/d337b5e05da257868e1fec7eaa9544cb30fb6736