CVE-2020-27826

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Published: May 28, 2021
Updated: May 9, 2024
CVE: CVE-2020-27826
GHSA: GHSA-m9cj-v55f-8x26
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.2
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.9
AV:N/AC:M/Au:S/C:P/I:P/A:N

CWEs:

CWE-250

Affected Software
References

Software	From	Fixed in
redhat / keycloak	-	12.0.0
redhat / single_sign-on	7.4	7.4.x
redhat / single_sign-on	7.4.4	7.4.4.x
org.keycloak / keycloak-core	-	12.0.0

https://access.redhat.com/security/cve/cve-2020-27826
https://bugzilla.redhat.com/show_bug.cgi?id=1905089
https://github.com/keycloak/keycloak/commit/dae4a3eaf26590b8d441b8e4bec3b700ee303b72

Vulnerability Database

289,599

CVE-2020-27826