CVE-2020-27826

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1905089 Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.4.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-05-28 11:15

Updated : 2024-02-28 18:28


NVD link : CVE-2020-27826

Mitre link : CVE-2020-27826

CVE.ORG link : CVE-2020-27826


JSON object : View

Products Affected

redhat

  • single_sign-on
  • keycloak
CWE
CWE-250

Execution with Unnecessary Privileges