PT-2018-5037 · Red Hat · Red Hat Keycloak+1

Chess Hazlett

Published

2018-03-12

Updated

2019-10-09

CVE-2016-8629

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Red Hat Keycloak versions prior to 2.4.0

Description The issue arises from incorrect permission checks when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could exploit this to bypass normal permissions and delete users in a separate realm.

Recommendations For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-284

Related Identifiers

CVE-2016-8629

GHSA-778X-2MQV-W6XW

RHSA-2017:0872

RHSA-2017:0873

Affected Products

Keycloak

Red Hat Keycloak

PT-2018-5037 · Red Hat · Red Hat Keycloak+1

CVE-2016-8629

Weakness Enumeration

Related Identifiers

Affected Products

References · 11