It was found that keycloak did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
Find out more about CVE-2016-8629 from the MITRE CVE dictionary dictionary and NIST NVD.
Base Score | 4 |
---|---|
Base Metrics | AV:N/AC:L/Au:S/C:N/I:P/A:N |
Access Vector | Network |
Access Complexity | Low |
Authentication | Single |
Confidentiality Impact | None |
Integrity Impact | Partial |
Availability Impact | None |
CVSS3 Base Score | 4.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | Low |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Single Sign-On 7.1 for RHEL 6 Server | RHSA-2017:0872 | 2017-04-04 |
Red Hat Single Sign-On 7.1 | RHSA-2017:0876 | 2017-04-04 |
Red Hat Single Sign-On 7.1 for RHEL 7 Server | RHSA-2017:0873 | 2017-04-04 |