CVE-2021-4133

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

Published: Jan 25, 2022
Updated: May 9, 2024
CVE: CVE-2021-4133
GHSA: GHSA-83x4-9cwr-5487
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
redhat / keycloak	12.0.0	15.1.1
org.keycloak / keycloak-services	-	15.1.1

https://bugzilla.redhat.com/show_bug.cgi?id=2033602
https://github.com/keycloak/keycloak/issues/9247
https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
https://www.oracle.com/security-alerts/cpuapr2022.html

Vulnerability Database

289,599

CVE-2021-4133