CVE-2016-8629

medium

Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1388988

https://access.redhat.com/errata/RHSA-2017:0873

https://access.redhat.com/errata/RHSA-2017:0872

http://www.securitytracker.com/id/1038180

http://www.securityfocus.com/bid/97392

http://rhn.redhat.com/errata/RHSA-2017-0876.html

Details

Source: Mitre, NVD

Published: 2018-03-12

Updated: 2019-10-09

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium