CVE-2016-8629
Aliases:GHSA-778x-2mqv-w6xw
Advisory lineage Upstream: 0 Downstream: 2
Downstream
Modified
Published: 12 Mar 2018, 15:00
Last modified:16 Sept 2024, 17:52
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
v3.0 (nvd)
EPSS Score
0.21% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
12 Mar 2018, 15:00
Published
Vulnerability first disclosed
16 Sept 2024, 17:52
Last Modified
Vulnerability information updated
Description
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
CVSS Metrics
- v3.0•MEDIUM•Score: 6.5CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- v2.0•MEDIUM•Score: 5.5AV:N/AC:L/Au:S/C:N/I:P/A:P
EPSS Trends
Current EPSS score: 0.21%• Percentile: 44%
Techniques & Countermeasures
- CWE-264•Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
- CWE-284•Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Affected Systems
- org.keycloak•keycloak-core
< 2.4.0
- red hat, inc.•keycloak
2.4.0
- redhat•keycloak
< 2.4.0
- redhat•single_sign_on
7.1 | 7.2
References (8)
- http://rhn.redhat.com/errata/RHSA-2017-0876.html
- http://www.securitytracker.com/id/1038180
- https://bugzilla.redhat.com/show_bug.cgi?id=1388988
- http://www.securityfocus.com/bid/97392
- https://access.redhat.com/errata/RHSA-2017:0873
- https://access.redhat.com/errata/RHSA-2017:0872
- https://nvd.nist.gov/vuln/detail/CVE-2016-8629
- https://github.com/advisories/GHSA-778x-2mqv-w6xw