Description
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
Remediation
References
https://access.redhat.com/security/cve/cve-2020-14389
https://bugzilla.redhat.com/show_bug.cgi?id=1875843%2C
Related Vulnerabilities
CVE-2018-3774 Vulnerability in npm package url-parse
CVE-2018-1000407 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2019-0225 Vulnerability in maven package org.apache.jspwiki:jspwiki-builder
CVE-2019-16568 Vulnerability in maven package hudson.plugins.sctmexecutor:sctmexecutor
CVE-2016-3092 Vulnerability in maven package commons-fileupload:commons-fileupload