PT-2021-11420 · Red Hat · Keycloak

Published

2021-05-28

Updated

2022-03-18

CVE-2020-27826

CVSS v2.0

4.9

Medium

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions: Keycloak versions prior to 12.0.0

Description: A flaw was found in Keycloak where it is possible to update the user's metadata attributes using the Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Recommendations: For versions prior to 12.0.0, update to version 12.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Account REST API to minimize the risk of exploitation. Avoid using the NameID attribute in the affected API endpoint until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-250

Related Identifiers

CVE-2020-27826

GHSA-M9CJ-V55F-8X26

RHSA-2020:5526

RHSA-2020:5527

RHSA-2020:5528

Affected Products

Keycloak

PT-2021-11420 · Red Hat · Keycloak

CVE-2020-27826

Weakness Enumeration

Related Identifiers

Affected Products

References · 7