CVE-2021-20262Missing Authentication for Critical Function in Redhat Keycloak

CWE-306Missing Authentication for Critical Function5 documents5 sources
Severity
6.8MEDIUMNVD
EPSS
0.0%
top 86.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat KeycloakRedhat Single Sign-on
Timeline
PublishedMar 9
Latest updateMar 12

Description

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5redhat/keycloakKeycloak 12.0.0
NVDredhat/keycloak12.0.0

🔴Vulnerability Details

3
GHSA
Keycloak Missing authentication for critical function2021-03-12
OSV
Keycloak Missing authentication for critical function2021-03-12
CVEList
CVE-2021-20262: A flaw was found in Keycloak 122021-03-09

📋Vendor Advisories

1
Red Hat
keycloak: missing re-authentication while updating password2021-03-01
CVE-2021-20262 — Redhat Keycloak vulnerability | cvebase