Bug 1905089 (CVE-2020-27826)
Summary: | CVE-2020-27826 keycloak: Account REST API can update user metadata attributes | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Paramvir jindal <pjindal> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aboyko, chazlett, drieden, jochrist, krathod, pdrozd, pjindal, sthorger |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://issues.redhat.com/browse/KEYCLOAK-16564 https://issues.redhat.com/browse/KEYCLOAK-16492 |
||
Whiteboard: | |||
Fixed In Version: | keycloak 12.0.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-15 22:19:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1905076 |
Description
Paramvir jindal
2020-12-07 13:25:56 UTC
Acknowledgments: Name: Marek Posolda (Red Hat) This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2020:5526 https://access.redhat.com/errata/RHSA-2020:5526 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2020:5527 https://access.redhat.com/errata/RHSA-2020:5527 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2020:5528 https://access.redhat.com/errata/RHSA-2020:5528 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27826 Hi, Can someone from CCS team please approve the Doc text, as customer is complaining about "No description available for this CVE". Thanks! |