CVE-2020-10686 — Improper Authorization in Keycloak

CWE-285 — Improper Authorization6 documents6 sources

Severity

4.7MEDIUMNVD

CNA4.1

EPSS

0.2%

top 53.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Keycloak Redhat Keycloak

Timeline

PublishedMay 4

Latest updateMay 24

Description

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages2 packages

▶NVDredhat/keycloak8.0.2, 9.0.0+1

▶CVEListV5keycloak/keycloak8.0.2, 9.0.0+1

🔴Vulnerability Details

OSV

Keycloak users may be able to remove MFA from other users' devices↗2022-05-24

▶

GHSA

Keycloak users may be able to remove MFA from other users' devices↗2022-05-24

▶

CVEList

CVE-2020-10686: A flaw was found in Keycloak version 8↗2020-05-04

▶

📋Vendor Advisories

Red Hat

keycloak: remove other users MFA devices↗2020-04-29

▶

💬Community

Bugzilla

CVE-2020-10686 keycloak: remove other users MFA devices↗2020-03-18

▶