Red Hat Keycloak
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*
A user enumeration vulnerability has been identified in Keycloak. This issue arises when Organizations are enabled and the identity-first login flow is active. A remote attacker can exploit this vulnerability by sending login requests and observing the different error messages returned. Existing users trigger an 'Invalid Password' response, while non-existent users receive an 'Invalid username or password' error. This discrepancy allows attackers to determine the existence of users, leading to unauthorized information disclosure.
Exploitation of this vulnerability allows for user enumeration, where an attacker can determine the existence of users based on the differential error messages received during the login process.
To reproduce this vulnerability, create a realm in Keycloak and enable Organizations. Add a user with a known password to an organization. Then, navigate to the account login endpoint and enter a non-existent username followed by any password. The response will indicate that the username does not exist. Repeat the process with an existing username to receive a response indicating an invalid password, thereby confirming the user's existence.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.