Description
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=2050228
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt
https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076
Related Vulnerabilities
CVE-2020-8203 Vulnerability in npm package lodash
CVE-2022-36094 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2022-31170 Vulnerability in npm package @openzeppelin/contracts-upgradeable
CVE-2023-40349 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook
CVE-2020-11022 Vulnerability in maven package org.webjars.npm:jquery