Описание
No description is available for this CVE.
Отчет
The issue was rated as Moderate. This flaw in Keycloak allows information disclosure due to improper role enforcement in the UMA 2.0 Protection API. An authenticated user with a token issued for a resource server client, even without the uma_protection role, can enumerate all permission tickets in the system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9 | Affected |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-280
https://bugzilla.redhat.com/show_bug.cgi?id=2442572keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API
4.3 Medium
CVSS3
Связанные уязвимости
4.3 Medium
CVSS3