Описание
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
Отчет
This flaw affects only Red Hat Single Sign-on 7.5.0. Red Hat Single Sign-on 7.4.x releases are NOT affected. Fix is available for download from customer portal which can be applied on RH-SSO 7.5.0
Меры по смягчению последствий
Access to the user-creation functionality in the REST endpoint can be deactivated using CLI commands in undertow.
run:
bin/jboss-cli.sh --connect
/subsystem=undertow/configuration=filter/expression-filter=keycloakPathOverrideUsersCreateEndpoint:add(
expression="(regex('^/auth/admin/realms/(.*)/users$') and method(POST))-> response-code(400)"
)
/subsystem=undertow/server=default-server/host=default-host/filter-ref=keycloakPathOverrideUsersCreateEndpoint:add()
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat A-MQ Online | keycloak-services | Not affected | ||
| Red Hat Single Sign-On 7.5 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2021:5218 | 20.12.2021 |
| Red Hat Single Sign-On 7.5 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2022:0151 | 17.01.2022 |
| Red Hat Single Sign-On 7.5 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2021:5219 | 20.12.2021 |
| Red Hat Single Sign-On 7.5 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2022:0152 | 17.01.2022 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso75-openshift-rhel8 | Fixed | RHSA-2022:0015 | 04.01.2022 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso7-rhel8-operator-bundle | Fixed | RHSA-2022:0015 | 04.01.2022 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso7-rhel8-operator-bundle | Fixed | RHSA-2022:0034 | 05.01.2022 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso75-openshift-rhel8 | Fixed | RHSA-2022:0164 | 18.01.2022 |
| RHSSO 7.5.1 | keycloak-services | Fixed | RHSA-2022:0155 | 17.01.2022 |
Показывать по
Дополнительная информация
Статус:
8.3 High
CVSS3
Связанные уязвимости
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 ...
8.3 High
CVSS3