Detections
Analytics

CVE-2016-8629

medium

Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

References

http://www.securitytracker.com/id/1038180

http://www.securityfocus.com/bid/97392

http://rhn.redhat.com/errata/RHSA-2017-0876.html

https://bugzilla.redhat.com/show_bug.cgi?id=1388988

https://access.redhat.com/errata/RHSA-2017:0873

https://access.redhat.com/errata/RHSA-2017:0872

Details

Source: Mitre, NVD

Published: 2018-03-12

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.00454