Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect authorization allows unpriviledged users to create other users #9247

Closed
stianst opened this issue Dec 20, 2021 · 3 comments
Closed

Incorrect authorization allows unpriviledged users to create other users #9247

stianst opened this issue Dec 20, 2021 · 3 comments
Labels
kind/bug Categorizes a PR related to a bug
Milestone
15.1.1

Comments

@stianst
Copy link
Contributor

stianst commented Dec 20, 2021
edited

Describe the bug

A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.

Security advisory:

Version

12.0.0 up to and including 15.0.0
@stianst stianst added kind/bug Categorizes a PR related to a bug status/triage labels Dec 20, 2021
@stianst stianst added this to the 15.1.1 milestone Dec 20, 2021
@stianst stianst closed this as completed Dec 20, 2021
@ahaerpfer ahaerpfer mentioned this issue Dec 20, 2021
Merged
@stianst stianst modified the milestones: 15.1.1, 17.0.0 Feb 2, 2022
@pranayCodes
Copy link

@stianst - the version range marked as vulnerable on the GHSA is throwing our dev team off. Could you add a min affected version to it to ensure consistency with the NVD record and version declaration above as well. https://nvd.nist.gov/vuln/detail/CVE-2021-4133

@mohamed-faris
Copy link

any POC?

@Singh1Harjot
Copy link

poc?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes a PR related to a bug
Projects
None yet
Milestone
15.1.1
Development

No branches or pull requests
4 participants
@stianst @pranayCodes @Singh1Harjot @mohamed-faris