CVE-2020-27826

HIGH8.8EPSS 0.17%

Authentication Bypass in keycloak

發布日:2022/3/18修改日:2023/11/8

描述

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

受影響套件(1)

Maven/org.keycloak:keycloak-corefrom 0, < 12.0.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-27826
WEBhttps://access.redhat.com/security/cve/cve-2020-27826
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1905089
WEBhttps://github.com/keycloak/keycloak/commit/dae4a3eaf26590b8d441b8e4bec3b700ee303b72