A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.
@stianst - the version range marked as vulnerable on the GHSA is throwing our dev team off. Could you add a min affected version to it to ensure consistency with the NVD record and version declaration above as well. https://nvd.nist.gov/vuln/detail/CVE-2021-4133
Describe the bug
A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.
Security advisory:
Version
12.0.0 up to and including 15.0.0
The text was updated successfully, but these errors were encountered: