CVE-2021-4133

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Keycloak versions 12.0.0 through 15.1.1

Description A flaw was found in Keycloak that allows an attacker with any existing user account to create new default user accounts via the administrative REST API, even when new user registration is disabled.

Recommendations For Keycloak versions 12.0.0 through 15.1.1, consider disabling the administrative REST API until a patch is available. Restrict access to the administrative REST API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2021-4133

GHSA-83X4-9CWR-5487

RHSA-2021:5218

RHSA-2021:5219

RHSA-2022:0151

RHSA-2022:0152

Affected Products

Keycloak

CVE-2021-4133

Weakness Enumeration

Related Identifiers

Affected Products

References · 11