CVE-2016-8629

CWE-284 — Improper Access Control CWE-2646 documents6 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 56.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

3

Redhat Keycloak RED Hat, Inc. Keycloak Redhat Single Sign ON

Timeline

PublishedMar 12

Latest updateOct 18

Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDredhat/keycloak< 2.4.0

▶Mavenorg.keycloak:keycloak-core< 2.4.0

▶CVEListV5red_hat,_inc./keycloak2.4.0

▶NVDredhat/single_sign_on7.1, 7.2+1

🔴Vulnerability Details

3

OSV

Moderate severity vulnerability that affects org.keycloak:keycloak-core↗2018-10-18

▶

GHSA

Moderate severity vulnerability that affects org.keycloak:keycloak-core↗2018-10-18

▶

CVEList

CVE-2016-8629: Red Hat Keycloak before version 2↗2018-03-12

▶

📋Vendor Advisories

1

Red Hat

keycloak: user deletion via incorrect permissions check↗2017-04-04

▶

💬Community

1

Bugzilla

CVE-2016-8629 keycloak: user deletion via incorrect permissions check↗2016-10-26

▶

CVE-2016-8629 (MEDIUM CVSS 6.5) | Red Hat Keycloak before version 2.4 | cvebase.io