GitHub Advisory DatabaseGHSA-778X-2MQV-W6XWModerate severity vulnerability that affects org.keycloak:keycloak-core
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
65.8%
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.keycloak | keycloak-core | * | cpe:2.3:a:org.keycloak:keycloak-core:*:*:*:*:*:*:*:* |
References
rhn.redhat.com/errata/RHSA-2017-0876.html
www.securityfocus.com/bid/97392
www.securitytracker.com/id/1038180
access.redhat.com/errata/RHSA-2017:0872
access.redhat.com/errata/RHSA-2017:0873
bugzilla.redhat.com/show_bug.cgi?id=1388988
github.com/advisories/GHSA-778x-2mqv-w6xw
nvd.nist.gov/vuln/detail/CVE-2016-8629
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
65.8%