6.5

CVE-2016-8629

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version < 2.4.0
RedhatSingle Sign On Version7.1
   RedhatEnterprise Linux Server Version6.0
   RedhatEnterprise Linux Server Version7.0
RedhatSingle Sign On Version7.2
   RedhatEnterprise Linux Server Version6.0
   RedhatEnterprise Linux Server Version7.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.44
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:N/I:P/A:P
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

http://www.securityfocus.com/bid/97392
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038180
Third Party Advisory
VDB Entry