1933639 – (CVE-2021-20262) CVE-2021-20262 keycloak: missing re-authentication while updating password

Bug 1933639 (CVE-2021-20262) - CVE-2021-20262 keycloak: missing re-authentication while updating password

Summary: CVE-2021-20262 keycloak: missing re-authentication while updating password

Keywords:
Status:	NEW
Alias:	CVE-2021-20262
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1932853 1934069
TreeView+	depends on / blocked

Reported:	2021-03-01 10:28 UTC by Paramvir jindal
Modified:	2025-02-04 08:28 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Paramvir jindal 2021-03-01 10:28:07 UTC

Re-authentication is missing while updating the password. This may cause account takeover if any attacker get the temporary physical access to a user's browser.

https://issues.redhat.com/browse/KEYCLOAK-17250

Comment 2 Paramvir jindal 2021-03-01 10:43:33 UTC

No Red Hat product other than RHSSO has this account console feature so marking all of them as not affected.

Comment 4 Paramvir jindal 2021-03-02 08:54:36 UTC

Acknowledgments:

Name: Tuan Tran (mgm security partners GmbH)

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
anstephe
avibelli
bgeorges
chazlett
cmoulliard
dkreling
ganandan
gmalinko
ibek
ikanello
janstey
jochrist
jpallich
jwon
kverlaen
lthon
mnovotny
pantinor
pdrozd
pgallagh
pjindal
rruss
sthorger