Description

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

Remediation

References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt

https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076

https://bugzilla.redhat.com/show_bug.cgi?id=2050228

Related Vulnerabilities

CVE-2022-25876 Vulnerability in npm package link-preview-js

CVE-2022-43434 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2023-31581 Vulnerability in maven package com.usthe.sureness:sureness-core

CVE-2017-20162 Vulnerability in npm package ms

CVE-2020-28481 Vulnerability in npm package socket.io

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Exploit Third Party Advisory Issue Tracking Vendor Advisory