CVE-2016-8629 – org.keycloak:keycloak-core

Package

Manager: maven
Name: org.keycloak:keycloak-core
Vulnerable Version: >=0 <2.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00454 pctl0.62921

Details

Moderate severity vulnerability that affects org.keycloak:keycloak-core Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

Metadata

Created: 2018-10-18T16:48:01Z
Modified: 2020-06-16T21:21:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-778x-2mqv-w6xw/GHSA-778x-2mqv-w6xw.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-778x-2mqv-w6xw
Finding: F039
Auto approve: 1