CVE-2022-1466 — Incorrect Authorization in Redhat Single Sign-on

CWE-863 — Incorrect Authorization CWE-1220 — Insufficient Granularity of Access Control6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 63.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Redhat Single Sign-on

Timeline

PublishedApr 26

Latest updateApr 27

Description

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/single_sign-on7.5.0

▶NVDredhat/keycloak< 17.0.1

🔴Vulnerability Details

GHSA

Improper authorization in Keycloak↗2022-04-27

▶

OSV

Improper authorization in Keycloak↗2022-04-27

▶

CVEList

CVE-2022-1466: Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform↗2022-04-26

▶

📋Vendor Advisories

Red Hat

keycloak: Improper authorization for master realm↗2022-01-10

▶