CVE-2021-4133 — Incorrect Authorization in Redhat Keycloak

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 37.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak

Timeline

PublishedJan 25

Description

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDredhat/keycloak12.0.0 — 15.1.1

▶CVEListV5redhat/keycloakkeycloak 15.1.1

🔴Vulnerability Details

CVEList

CVE-2021-4133: A flaw was found in Keycloak in versions from 12↗2022-01-25

▶

OSV

Improper Authorization in Keycloak↗2022-01-06

▶

GHSA

Improper Authorization in Keycloak↗2022-01-06

▶

📋Vendor Advisories

Red Hat

Keycloak: Incorrect authorization allows unpriviledged users to create other users↗2021-12-16

▶