A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an malicious user to change its own NameID attribute to impersonate the admin user for any particular application.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat keycloak |
||
redhat single sign-on - |
||
redhat single sign-on 7.4 |
||
redhat single sign-on 7.4.4 |