Описание
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Ссылки
- Issue TrackingVendor Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Одно из
EPSS
4.1 Medium
CVSS3
4.7 Medium
CVSS3
6.5 Medium
CVSS2
Дефекты
Связанные уязвимости
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in ...
Keycloak users may be able to remove MFA from other users' devices
EPSS
4.1 Medium
CVSS3
4.7 Medium
CVSS3
6.5 Medium
CVSS2