Description
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
Related Vulnerabilities
CVE-2022-34870 Vulnerability in maven package org.apache.geode:geode-pulse
CVE-2023-32070 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-syntax-html5
CVE-2023-30535 Vulnerability in maven package net.snowflake:snowflake-jdbc
CVE-2018-16487 Vulnerability in maven package org.webjars.bower:lodash
CVE-2022-3143 Vulnerability in maven package org.wildfly.security:wildfly-elytron-credential