Description

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

Remediation

References

https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487

https://github.com/keycloak/keycloak/issues/9247

https://bugzilla.redhat.com/show_bug.cgi?id=2033602

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2016-6795 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2018-16492 Vulnerability in npm package extend

CVE-2016-15026 Vulnerability in maven package com.googlecode.plist:dd-plist

CVE-2016-9177 Vulnerability in maven package com.sparkjava:spark-core

CVE-2018-11041 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa

Severity

Critical

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Issue Tracking Not Applicable