CVE-2016-8629

MEDIUM

Red Hat Keycloak <2.4.0 - Privilege Escalation

Title source: llm
STIX 2.1

Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

References (6)

Core 6
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0876.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038180
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1388988
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97392
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0873
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0872

Scores

CVSS v3 6.5
EPSS 0.0021
EPSS Percentile 43.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-284 CWE-264
Status published
Products (4)
org.keycloak/keycloak-core 0 - 2.4.0Maven
redhat/keycloak < 2.4.0
redhat/single_sign_on 7.1
redhat/single_sign_on 7.2
Published Mar 12, 2018
Tracked Since Feb 18, 2026