Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1388988

https://access.redhat.com/errata/RHSA-2017:0873

https://access.redhat.com/errata/RHSA-2017:0872

http://www.securitytracker.com/id/1038180

http://www.securityfocus.com/bid/97392

http://rhn.redhat.com/errata/RHSA-2017-0876.html

Related Vulnerabilities

CVE-2022-24815 Vulnerability in npm package generator-jhipster

CVE-2022-31684 Vulnerability in maven package io.projectreactor.netty:reactor-netty-http

CVE-2021-32827 Vulnerability in maven package org.mock-server:mockserver-core

CVE-2022-36887 Vulnerability in maven package org.jenkins-ci.plugins:jobconfighistory

CVE-2023-37478 Vulnerability in npm package @pnpm/win-x64

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Issue Tracking Vendor Advisory Third Party Advisory VDB Entry