A flaw was found in keycloak where it is possible to update the user's metadata attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.
https://issues.redhat.com/browse/KEYCLOAK-16468
Acknowledgments: Name: Marek Posolda (Red Hat)
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2020:5526 https://access.redhat.com/errata/RHSA-2020:5526
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2020:5527 https://access.redhat.com/errata/RHSA-2020:5527
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2020:5528 https://access.redhat.com/errata/RHSA-2020:5528
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2020:5533 https://access.redhat.com/errata/RHSA-2020:5533
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27826
Hi, Can someone from CCS team please approve the Doc text, as customer is complaining about "No description available for this CVE". Thanks!