Description

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905089

Related Vulnerabilities

CVE-2023-37912 Vulnerability in maven package org.xwiki.rendering:xwiki-rendering-macro-footnotes

CVE-2023-29511 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2020-6428 Vulnerability in maven package org.webjars.npm:electron

CVE-2017-18635 Vulnerability in npm package @novnc/novnc

CVE-2021-41303 Vulnerability in maven package org.apache.shiro:shiro-core

Severity

Medium

Classification

CWE-250 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Issue Tracking Vendor Advisory