KeyCloak 8.0.2/9.0.0 improper authorization

EntryeditHistoryDiffjsonxmlCTI

A vulnerability was found in KeyCloak 8.0.2/9.0.0. It has been rated as problematic. This issue affects some unknown functionality. Upgrading to version 9.0.1 eliminates this vulnerability.

Field05/05/2020 08:31 AM10/15/2020 08:38 AM10/15/2020 08:42 AM
nameKeyCloakKeyCloakKeyCloak
version8.0.2/9.0.08.0.2/9.0.08.0.2/9.0.0
risk111
cvss2_vuldb_basescore1.71.71.7
cvss2_vuldb_tempscore1.51.51.5
cvss2_vuldb_avNNN
cvss2_vuldb_acHHH
cvss2_vuldb_auMMM
cvss2_vuldb_ciNNN
cvss2_vuldb_iiNNN
cvss2_vuldb_aiPPP
cvss3_meta_basescore3.13.13.1
cvss3_meta_tempscore3.03.03.0
cvss3_vuldb_basescore2.22.22.2
cvss3_vuldb_tempscore2.12.12.1
cvss3_vuldb_avNNN
cvss3_vuldb_acHHH
cvss3_vuldb_prHHH
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iNNN
cvss3_vuldb_aLLL
date1588550400 (05/04/2020)1588550400 (05/04/2020)1588550400 (05/04/2020)
locationBugzillaBugzillaBugzilla
typeBug ReportBug ReportBug Report
urlhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
price_0day$0-$5k$0-$5k$0-$5k
nameUpgradeUpgradeUpgrade
upgrade_version9.0.19.0.19.0.1
cveCVE-2020-10686CVE-2020-10686CVE-2020-10686
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlOOO
cvss3_vuldb_rcXXX
cvss3_nvd_basescore4.14.14.1
cwe285 (privilege escalation)285 (privilege escalation)285 (privilege escalation)
cvss3_nvd_avNNN
cvss3_nvd_acHHH
cvss3_nvd_prHHH
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cLLL
cvss3_nvd_iLLL
cvss3_nvd_aLLL
cve_assigned158466240015846624001584662400
cve_nvd_summaryA flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
confirm_urlhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
cve_cnaRed Hat, Inc.

Do you need the next level of professionalism?

Upgrade your account now!