Bug 1905089 (CVE-2020-27826)

Summary: CVE-2020-27826 keycloak: Account REST API can update user metadata attributes
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aboyko, chazlett, drieden, jochrist, krathod, pdrozd, pjindal, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/KEYCLOAK-16564
https://issues.redhat.com/browse/KEYCLOAK-16492
Whiteboard:
Fixed In Version: keycloak 12.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 22:19:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1905076    

Description Paramvir jindal 2020-12-07 13:25:56 UTC 
A flaw was found in keycloak where it is possible to update the user's metadata attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.
Comment 1 Paramvir jindal 2020-12-07 13:26:28 UTC 
https://issues.redhat.com/browse/KEYCLOAK-16468
Comment 6 Paramvir jindal 2020-12-08 09:25:12 UTC 
Acknowledgments:

Name: Marek Posolda (Red Hat)
Comment 7 errata-xmlrpc 2020-12-15 17:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 6

Via RHSA-2020:5526 https://access.redhat.com/errata/RHSA-2020:5526
Comment 8 errata-xmlrpc 2020-12-15 17:13:54 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 7

Via RHSA-2020:5527 https://access.redhat.com/errata/RHSA-2020:5527
Comment 9 errata-xmlrpc 2020-12-15 17:14:31 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 8

Via RHSA-2020:5528 https://access.redhat.com/errata/RHSA-2020:5528
Comment 10 errata-xmlrpc 2020-12-15 17:14:42 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533
Comment 11 Product Security DevOps Team 2020-12-15 22:19:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27826
Comment 12 Paramvir jindal 2021-02-22 10:53:19 UTC 
Hi, Can someone from CCS team please approve the Doc text, as customer is complaining about "No description available for this CVE". 
Thanks!