A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1905089 | Issue Tracking Vendor Advisory |
Configurations
History
No history.
Information
Published : 2021-05-28 11:15
Updated : 2024-02-28 18:28
NVD link : CVE-2020-27826
Mitre link : CVE-2020-27826
CVE.ORG link : CVE-2020-27826
JSON object : View
Products Affected
redhat
- single_sign-on
- keycloak
CWE
CWE-250
Execution with Unnecessary Privileges