Описание
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | keycloak | Not affected | ||
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat OpenShift Application Runtimes | keycloak | Not affected | ||
| Red Hat Process Automation 7 | keycloak | Not affected | ||
| Red Hat support for Spring Boot | keycloak | Not affected | ||
| Red Hat Single Sign-On 7.4.3 | Fixed | RHSA-2020:4931 | 04.11.2020 | |
| Red Hat Single Sign-On 7.4 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2020:4929 | 04.11.2020 |
| Red Hat Single Sign-On 7.4 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2020:4930 | 04.11.2020 |
| Red Hat Single Sign-On 7.4 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2020:4932 | 04.11.2020 |
| Red Hat Single Sign-On 7.4 for RHEL 8 | rh-sso7-libunix-dbus-java | Fixed | RHSA-2020:4932 | 04.11.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
It was found that Keycloak before version 12.0.0 would permit a user w ...
EPSS
8.1 High
CVSS3