1388988 – (CVE-2016-8629) CVE-2016-8629 keycloak: user deletion via incorrect permissions check

Bug 1388988 (CVE-2016-8629) - CVE-2016-8629 keycloak: user deletion via incorrect permissions check

Summary: CVE-2016-8629 keycloak: user deletion via incorrect permissions check

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-8629
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1386413 1438536
TreeView+	depends on / blocked

Reported:	2016-10-26 15:45 UTC by Chess Hazlett
Modified:	2019-09-29 13:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	keycloak 2.4.0
Doc Type:	If docs needed, set a value
Doc Text:	It was found that keycloak did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:01:15 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0872	normal	SHIPPED_LIVE	Moderate: Red Hat Single Sign-On 7.1 update on RHEL 6	2017-04-04 21:26:43 UTC
Red Hat Product Errata	RHSA-2017:0873	normal	SHIPPED_LIVE	Moderate: Red Hat Single Sign-On 7.1 update on RHEL 7	2017-04-04 21:26:10 UTC
Red Hat Product Errata	RHSA-2017:0876	normal	SHIPPED_LIVE	Moderate: Red Hat Single Sign-On 7.1 update	2017-04-04 21:15:55 UTC

Description Chess Hazlett 2016-10-26 15:45:47 UTC

https://issues.jboss.org/browse/KEYCLOAK-3667

Comment 2 errata-xmlrpc 2017-04-04 17:16:10 UTC

This issue has been addressed in the following products:



Via RHSA-2017:0876 https://access.redhat.com/errata/RHSA-2017:0876

Comment 3 errata-xmlrpc 2017-04-04 17:27:22 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 7

Via RHSA-2017:0873 https://access.redhat.com/errata/RHSA-2017:0873

Comment 4 errata-xmlrpc 2017-04-04 17:27:45 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 6

Via RHSA-2017:0872 https://access.redhat.com/errata/RHSA-2017:0872

Note You need to log in before you can comment on or make changes to this bug.