Description
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
Remediation
References
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt
https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076
https://bugzilla.redhat.com/show_bug.cgi?id=2050228
Related Vulnerabilities
CVE-2023-40810 Vulnerability in maven package org.opencrx:opencrx-core-models
CVE-2020-35213 Vulnerability in maven package io.atomix:atomix
CVE-2023-50732 Vulnerability in maven package org.xwiki.platform:xwiki-platform-index-tree-macro
CVE-2021-24122 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core