Main Vulnerability Database Vulnerabilities #VU49112

Security restrictions bypass in Keycloak - CVE-2020-27826

Published: December 21, 2020 / Updated: December 22, 2020

Vulnerability identifier: #VU49112

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-27826

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists within the REST API functionality. Remote users can change their attributes, such as NameID and impersonate administrative users of the application.

How to mitigate CVE-2020-27826

Install updates from vendor's website.

Sources

https://access.redhat.com/errata/RHSA-2020:5526
https://bugzilla.redhat.com/show_bug.cgi?id=1905089

Security restrictions bypass in Keycloak - CVE-2020-27826

Detailed vulnerability description

How to mitigate CVE-2020-27826

Sources

Please verify you're human