Description
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1905089
Related Vulnerabilities
CVE-2021-25738 Vulnerability in maven package io.kubernetes:client-java-parent
CVE-2023-24441 Vulnerability in maven package org.jvnet.hudson.plugins:mstest
CVE-2018-11786 Vulnerability in maven package org.apache.karaf.shell:org.apache.karaf.shell.core
CVE-2021-43297 Vulnerability in maven package com.alibaba:hessian-lite
CVE-2020-14966 Vulnerability in maven package org.webjars.npm:jsrsasign