Bug 1388988 – CVE-2016-8629 keycloak: user deletion via incorrect permissions check

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1388988 - (CVE-2016-8629) CVE-2016-8629 keycloak: user deletion via incorrect permissions check

Summary:	CVE-2016-8629 keycloak: user deletion via incorrect permissions check

Status:	NEW

Aliases:	CVE-2016-8629

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170404,repor...
Keywords:	Security

Depends On:
Blocks:	1386413 1438536
	Show dependency tree / graph

Reported:	2016-10-26 11:45 EDT by Chess Hazlett
Modified:	2018-03-12 02:26 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	keycloak 2.4.0
Doc Type:	If docs needed, set a value
Doc Text:	It was found that keycloak did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0872	normal	SHIPPED_LIVE	Moderate: Red Hat Single Sign-On 7.1 update on RHEL 6	2017-04-04 17:26:43 EDT
Red Hat Product Errata	RHSA-2017:0873	normal	SHIPPED_LIVE	Moderate: Red Hat Single Sign-On 7.1 update on RHEL 7	2017-04-04 17:26:10 EDT
Red Hat Product Errata	RHSA-2017:0876	normal	SHIPPED_LIVE	Moderate: Red Hat Single Sign-On 7.1 update	2017-04-04 17:15:55 EDT

Groups: None (edit)

Description Chess Hazlett 2016-10-26 11:45:47 EDT

https://issues.jboss.org/browse/KEYCLOAK-3667

Comment 2 errata-xmlrpc 2017-04-04 13:16:10 EDT

This issue has been addressed in the following products:



Via RHSA-2017:0876 https://access.redhat.com/errata/RHSA-2017:0876

Comment 3 errata-xmlrpc 2017-04-04 13:27:22 EDT

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 7

Via RHSA-2017:0873 https://access.redhat.com/errata/RHSA-2017:0873

Comment 4 errata-xmlrpc 2017-04-04 13:27:45 EDT

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 6

Via RHSA-2017:0872 https://access.redhat.com/errata/RHSA-2017:0872

Note You need to log in before you can comment on or make changes to this bug.