Описание
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
A flaw was found in Keycloak version 8.0.2 and 9.0.0, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Single Sign-On 7 | rh-sso7-keycloak | Not affected |
Показывать по
Дополнительная информация
Статус:
4.1 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in ...
Keycloak users may be able to remove MFA from other users' devices
4.1 Medium
CVSS3