Description
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
Remediation
References
https://access.redhat.com/security/cve/cve-2020-14389
https://bugzilla.redhat.com/show_bug.cgi?id=1875843%2C
Related Vulnerabilities
CVE-2007-5333 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2020-9482 Vulnerability in maven package org.apache.nifi.registry:nifi-registry-web-api
CVE-2024-22207 Vulnerability in npm package @fastify/swagger-ui
CVE-2017-16047 Vulnerability in npm package mysqljs
CVE-2022-32533 Vulnerability in maven package org.apache.portals.jetspeed-2:jetspeed