Описание
Keycloak users may be able to remove MFA from other users' devices
A community-only flaw was found where a malicious user can register himself and then uses the "remove devices" form to post different credential ids with the hope of removing MFA devices for other users.
Пакеты
org.keycloak:keycloak-core
<= 9.0.1
9.0.2
Связанные уязвимости
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in ...