CVE-2021-20262

Name of the Vulnerable Software and Affected Versions: Keycloak version 12.0.0

Description: A flaw was found in Keycloak where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Recommendations: For Keycloak version 12.0.0, consider implementing additional authentication measures to prevent account takeover, such as requiring re-authentication before password updates. As a temporary workaround, restrict access to password update functionality until a patch is available.