CVE-2020-10686

Published: May 4, 2020Modified: Nov 21, 2024

4.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Exploitability: 1.2 / Impact: 3.4

Source: NVD

Description

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

Affected (2)

Products: Redhat: Keycloak

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Keycloak	Version 8.0.2
Redhat Keycloak	Version 9.0.0

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.