A vulnerability was found in keycloak, where a user with only view-profile role is able to manage the resources in new account console. References: https://issues.redhat.com/browse/KEYCLOAK-15295
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.3 Via RHSA-2020:4931 https://access.redhat.com/errata/RHSA-2020:4931
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2020:4930 https://access.redhat.com/errata/RHSA-2020:4930
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2020:4929 https://access.redhat.com/errata/RHSA-2020:4929
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2020:4932 https://access.redhat.com/errata/RHSA-2020:4932
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14389
Acknowledgments: Name: Václav Muzikář (Red Hat)