8.8

CVE-2021-4133

Incorrect authorization allows unpriviledged users to create other users

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version >= 12.0.0 < 15.1.1
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version < 16.0.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.35% 0.678
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.oracle.com/security-alerts/cpuapr2022.html
Not Applicable
https://bugzilla.redhat.com/show_bug.cgi?id=2033602
Third Party Advisory
Issue Tracking
https://github.com/keycloak/keycloak/issues/9247
Third Party Advisory
https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
Third Party Advisory
https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
Third Party Advisory