Description

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905089

Related Vulnerabilities

CVE-2023-35148 Vulnerability in maven package org.jenkins-ci.plugins:ease-plugin

CVE-2023-48218 Vulnerability in npm package strapi-plugin-protected-populate

CVE-2022-34198 Vulnerability in maven package org.jenkins-ci.plugins:stashbranchparameter

CVE-2023-46673 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2020-1960 Vulnerability in maven package org.apache.flink:flink-metrics-jmx

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo