CVE-2021-3513: 
Java vulnerability analysis and mitigation

A vulnerability was identified in Keycloak (CVE-2021-3513) where a brute force attack remains possible even when the permanent lockout feature is enabled. The flaw was discovered due to incorrect error messages being displayed when wrong credentials are entered. The vulnerability affects Keycloak versions up to (excluding) 13.0.0 (NVD, Red Hat CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The flaw is categorized under CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-522 (Insufficiently Protected Credentials). The vulnerability allows attackers to determine valid credentials through error message differentiation, even when account lockout is enabled (NVD).

The primary impact of this vulnerability is on confidentiality. When exploited, it allows malicious actors to continue attempting to guess valid credentials even after an account is locked, as the system provides different error messages for correct passwords on locked accounts versus incorrect passwords (Red Hat Bugzilla).

The vulnerability has been fixed in Keycloak version 13.0.0. Red Hat has released several security updates to address this issue across different platforms through multiple security advisories: RHSA-2021:3527, RHSA-2021:3528, RHSA-2021:3529, and RHSA-2021:3534 (Red Hat Bugzilla).