Bug 1388988 (CVE-2016-8629) - CVE-2016-8629 keycloak: user deletion via incorrect permissions check
Summary: CVE-2016-8629 keycloak: user deletion via incorrect permissions check
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-8629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1386413 1438536
TreeView+ depends on / blocked
 
Reported: 2016-10-26 15:45 UTC by Chess Hazlett
Modified: 2019-09-29 13:58 UTC (History)
2 users (show)

Fixed In Version: keycloak 2.4.0
Doc Type: If docs needed, set a value
Doc Text:
It was found that keycloak did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:01:15 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0872 normal SHIPPED_LIVE Moderate: Red Hat Single Sign-On 7.1 update on RHEL 6 2017-04-04 21:26:43 UTC
Red Hat Product Errata RHSA-2017:0873 normal SHIPPED_LIVE Moderate: Red Hat Single Sign-On 7.1 update on RHEL 7 2017-04-04 21:26:10 UTC
Red Hat Product Errata RHSA-2017:0876 normal SHIPPED_LIVE Moderate: Red Hat Single Sign-On 7.1 update 2017-04-04 21:15:55 UTC

Description Chess Hazlett 2016-10-26 15:45:47 UTC
https://issues.jboss.org/browse/KEYCLOAK-3667

Comment 2 errata-xmlrpc 2017-04-04 17:16:10 UTC
This issue has been addressed in the following products:



Via RHSA-2017:0876 https://access.redhat.com/errata/RHSA-2017:0876

Comment 3 errata-xmlrpc 2017-04-04 17:27:22 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 7

Via RHSA-2017:0873 https://access.redhat.com/errata/RHSA-2017:0873

Comment 4 errata-xmlrpc 2017-04-04 17:27:45 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 6

Via RHSA-2017:0872 https://access.redhat.com/errata/RHSA-2017:0872


Note You need to log in before you can comment on or make changes to this bug.