A incorrect authorization flaw was found in Keycloak 12.0.0 and greater as well as Red Hat Single Sign-On 7.5.0 and greater, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.
This issue has been addressed in the following products: RHSSO 7.5 async for CVE-2021-4133 Via RHSA-2021:5217 https://access.redhat.com/errata/RHSA-2021:5217
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2021:5219 https://access.redhat.com/errata/RHSA-2021:5219
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2021:5218 https://access.redhat.com/errata/RHSA-2021:5218
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4133
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0015 https://access.redhat.com/errata/RHSA-2022:0015
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0034 https://access.redhat.com/errata/RHSA-2022:0034
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151
This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164