Main Vulnerability Database Vulnerabilities #VU49112

#VU49112 Security restrictions bypass in Keycloak - CVE-2020-27826

Published: December 21, 2020 / Updated: December 22, 2020

Vulnerability identifier: #VU49112

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-27826

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Keycloak

Software vendor:
Keycloak

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists within the REST API functionality. Remote users can change their attributes, such as NameID and impersonate administrative users of the application.

Remediation

Install updates from vendor's website.

External links

https://access.redhat.com/errata/RHSA-2020:5526
https://bugzilla.redhat.com/show_bug.cgi?id=1905089