CVE-2020-14389Use of Password Hash With Insufficient Computational Effort in Redhat Keycloak

CWE-916Use of Password Hash With Insufficient Computational EffortCWE-269Improper Privilege Management6 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 64.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Keycloak
Timeline
PublishedNov 17
Latest updateNov 10

Description

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDredhat/keycloak< 12.0.0
CVEListV5redhat/keycloakbefore version 12.0.0

🔴Vulnerability Details

3
GHSA
Improper privilege management in Keycloak2021-11-10
OSV
Improper privilege management in Keycloak2021-11-10
CVEList
CVE-2020-14389: It was found that Keycloak before version 122020-11-17

📋Vendor Advisories

1
Red Hat
keycloak: user can manage resources with just "view-profile" role using new Account Console2020-11-04

💬Community

1
Bugzilla
CVE-2020-14389 keycloak: user can manage resources with just "view-profile" role using new Account Console2020-09-04
CVE-2020-14389 — Redhat Keycloak vulnerability | cvebase