Bug 2033602 (CVE-2021-4133)

Summary: CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users
Product: [Other] Security Response Reporter: Jonathan Christison <jochrist>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, benjamin.alpert, boliveir, chazlett, drieden, huzaifas, jochrist, jross, jwon, krathod, llopezmo, pdrozd, pjindal, rgodfrey, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 15.1.1, keycloak 16.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-20 17:19:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2033517, 2033617    

Description Jonathan Christison 2021-12-17 11:43:47 UTC 
A incorrect authorization flaw was found in Keycloak 12.0.0 and greater as well as Red Hat Single Sign-On 7.5.0 and greater, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.
Comment 5 errata-xmlrpc 2021-12-20 16:16:35 UTC 
This issue has been addressed in the following products:

  RHSSO 7.5 async for CVE-2021-4133

Via RHSA-2021:5217 https://access.redhat.com/errata/RHSA-2021:5217
Comment 6 errata-xmlrpc 2021-12-20 16:18:54 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2021:5219 https://access.redhat.com/errata/RHSA-2021:5219
Comment 7 errata-xmlrpc 2021-12-20 16:21:13 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2021:5218 https://access.redhat.com/errata/RHSA-2021:5218
Comment 8 Product Security DevOps Team 2021-12-20 17:19:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4133
Comment 14 errata-xmlrpc 2022-01-04 16:16:51 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0015 https://access.redhat.com/errata/RHSA-2022:0015
Comment 15 errata-xmlrpc 2022-01-05 18:19:42 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0034 https://access.redhat.com/errata/RHSA-2022:0034
Comment 16 errata-xmlrpc 2022-01-17 21:30:37 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152
Comment 17 errata-xmlrpc 2022-01-17 21:31:35 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151
Comment 18 errata-xmlrpc 2022-01-17 21:46:46 UTC 
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155
Comment 19 errata-xmlrpc 2022-01-18 14:54:08 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164