CVE-2020-10686

MEDIUM4.7EPSS 0.24%

Keycloak users may be able to remove MFA from other users' devices

Published: 5/24/2022Modified: 4/23/2024

Description

A community-only flaw was found where a malicious user can register himself and then uses the "remove devices" form to post different credential ids with the hope of removing MFA devices for other users.

Affected packages (1)

Maven/org.keycloak:keycloak-corefrom 0, < 9.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-10686
PATCHhttps://github.com/keycloak/keycloak
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
WEBhttps://github.com/keycloak/keycloak/commit/5ddd605ee96b8551c7eb00b609a0b97939925b77