PT-2020-12283 · Red Hat · Keycloak
Published
2020-05-04
·
Updated
2022-08-05
·
CVE-2020-10686
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Keycloak versions 8.0.2 through 9.0.0
Description
A flaw was found where a malicious user can register as oneself and then use the "remove devices" form to post different
credential IDs with the hope of removing MFA devices for other users.Recommendations
For Keycloak versions 8.0.2 through 9.0.0, update to Keycloak version 9.0.1 to resolve the issue.
As a temporary workaround, consider restricting access to the "remove devices" form until a patch is available.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Keycloak