Description
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
Related Vulnerabilities
CVE-2022-42125 Vulnerability in maven package com.liferay.portal:com.liferay.portal.impl
CVE-2021-21347 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-40827 Vulnerability in maven package org.pf4j:pf4j
CVE-2020-36732 Vulnerability in maven package org.webjars.npm:crypto-js
CVE-2019-0201 Vulnerability in maven package org.apache.zookeeper:zookeeper