Fluid Attacks Database

Description

Keycloak users may be able to remove MFA from other users' devices A community-only flaw was found where a malicious user can register himself and then uses the "remove devices" form to post different credential ids with the hope of removing MFA devices for other users.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-core	>=0 <9.0.2	9.0.2
maven	org.keycloak:keycloak-model-jpa	=8.0.2 \|\| =9.0.0	9.0.2
npm	keycloak-connect	=8.0.2 \|\| =9.0.0	9.0.2

Aliases

1. CVE-2020-106862. NVD-2020-106863. OSV-2020-106864. GCVE-2020-106865. bugzilla.redhat.com

References

1. https://github.com/keycloak/keycloak/commit/5ddd605ee96b8551c7eb00b609a0b97939925b772. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686