Description

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905089

Related Vulnerabilities

CVE-2022-42124 Vulnerability in maven package com.liferay:com.liferay.layout.page.template.service

CVE-2021-21160 Vulnerability in maven package org.webjars.npm:electron

CVE-2016-3737 Vulnerability in maven package org.rhq:rhq-enterprise-comm

CVE-2023-51656 Vulnerability in maven package org.apache.iotdb:iotdb-server

CVE-2021-21349 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo