CVE-2020-27826 – org.keycloak:keycloak-core

Package

Manager: maven
Name: org.keycloak:keycloak-core
Vulnerable Version: >=0 <12.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00166 pctl0.3811

Details

Authentication Bypass in keycloak A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Metadata

Created: 2022-03-18T17:55:26Z
Modified: 2022-03-18T17:55:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m9cj-v55f-8x26/GHSA-m9cj-v55f-8x26.json
CWE IDs: ["CWE-250"]
Alternative ID: GHSA-m9cj-v55f-8x26
Finding: F159
Auto approve: 1