Vulnerability Details CVE-2016-8629
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 62.6%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.5
References
- http://rhn.redhat.com/errata/RHSA-2017-0876.html
- http://www.securityfocus.com/bid/97392
- http://www.securitytracker.com/id/1038180
- https://access.redhat.com/errata/RHSA-2017:0872
- https://access.redhat.com/errata/RHSA-2017:0873
- https://bugzilla.redhat.com/show_bug.cgi?id=1388988
- http://rhn.redhat.com/errata/RHSA-2017-0876.html
- http://www.securityfocus.com/bid/97392
- http://www.securitytracker.com/id/1038180
- https://access.redhat.com/errata/RHSA-2017:0872
- https://access.redhat.com/errata/RHSA-2017:0873
- https://bugzilla.redhat.com/show_bug.cgi?id=1388988
Products affected by CVE-2016-8629
-
cpe:2.3:a:redhat:keycloak:-
-
cpe:2.3:a:redhat:keycloak:1.0
-
cpe:2.3:a:redhat:keycloak:1.0.0
-
cpe:2.3:a:redhat:keycloak:1.0.1
-
cpe:2.3:a:redhat:keycloak:1.0.2
-
cpe:2.3:a:redhat:keycloak:1.0.3
-
cpe:2.3:a:redhat:keycloak:1.0.4
-
cpe:2.3:a:redhat:keycloak:1.0.5
-
cpe:2.3:a:redhat:keycloak:1.1.0
-
cpe:2.3:a:redhat:keycloak:1.1.1
-
cpe:2.3:a:redhat:keycloak:1.2.0
-
cpe:2.3:a:redhat:keycloak:1.3.0
-
cpe:2.3:a:redhat:keycloak:1.3.1
-
cpe:2.3:a:redhat:keycloak:1.4.0
-
cpe:2.3:a:redhat:keycloak:1.5.0
-
cpe:2.3:a:redhat:keycloak:1.5.1
-
cpe:2.3:a:redhat:keycloak:1.6.0
-
cpe:2.3:a:redhat:keycloak:1.6.1
-
cpe:2.3:a:redhat:keycloak:1.7.0
-
cpe:2.3:a:redhat:keycloak:1.8.0
-
cpe:2.3:a:redhat:keycloak:1.8.1
-
cpe:2.3:a:redhat:keycloak:1.8.2
-
cpe:2.3:a:redhat:keycloak:1.9.0
-
cpe:2.3:a:redhat:keycloak:1.9.1
-
cpe:2.3:a:redhat:keycloak:1.9.2
-
cpe:2.3:a:redhat:keycloak:1.9.3
-
cpe:2.3:a:redhat:keycloak:1.9.4
-
cpe:2.3:a:redhat:keycloak:1.9.5
-
cpe:2.3:a:redhat:keycloak:1.9.6
-
cpe:2.3:a:redhat:keycloak:1.9.7
-
cpe:2.3:a:redhat:keycloak:1.9.8
-
cpe:2.3:a:redhat:keycloak:2.0.0
-
cpe:2.3:a:redhat:keycloak:2.1.0
-
cpe:2.3:a:redhat:keycloak:2.2.0
-
cpe:2.3:a:redhat:keycloak:2.2.1
-
cpe:2.3:a:redhat:keycloak:2.3.0
-
cpe:2.3:a:redhat:single_sign_on:7.1
-
cpe:2.3:a:redhat:single_sign_on:7.2
-
cpe:2.3:o:redhat:enterprise_linux_server:6.0
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0