Description

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905089

Related Vulnerabilities

CVE-2023-34189 Vulnerability in maven package org.apache.inlong:manager-web

CVE-2020-2111 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2022-24697 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2023-34466 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-api

CVE-2020-1942 Vulnerability in maven package org.apache.nifi:nifi-framework

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo