Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04M3g0LTljd3ItNTQ4N80gtA
Improper Authorization in Keycloak
A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.
Permalink: https://github.com/advisories/GHSA-83x4-9cwr-5487JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04M3g0LTljd3ItNTQ4N80gtA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-83x4-9cwr-5487, CVE-2021-4133
References:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
- https://nvd.nist.gov/vuln/detail/CVE-2021-4133
- https://github.com/keycloak/keycloak/issues/9247
- https://bugzilla.redhat.com/show_bug.cgi?id=2033602
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-83x4-9cwr-5487
Blast Radius: 24.2
Affected Packages
maven:org.keycloak:keycloak-services
Dependent packages: 90Dependent repositories: 561
Downloads:
Affected Version Ranges: < 15.1.1
Fixed in: 15.1.1
All affected versions: 5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.0.2, 9.0.0, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0
All unaffected versions: 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 24.0.0, 24.0.1, 24.0.2, 24.0.3