CVE-2020-27826

HIGH8.8EPSS 0.17%

Authentication Bypass in keycloak

Published: 3/18/2022Modified: 11/8/2023

Description

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Affected packages (1)

Maven/org.keycloak:keycloak-corefrom 0, < 12.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-27826
WEBhttps://access.redhat.com/security/cve/cve-2020-27826
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1905089
WEBhttps://github.com/keycloak/keycloak/commit/dae4a3eaf26590b8d441b8e4bec3b700ee303b72