CVE-2022-1466

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

Published: Apr 26, 2022
Updated: May 9, 2024
CVE: CVE-2022-1466
GHSA: GHSA-f32v-vf79-p29q
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
redhat / keycloak	-	17.0.1
redhat / single_sign-on	7.5.0	7.5.0.x
org.keycloak / keycloak-core	-	17.0.1

https://bugzilla.redhat.com/show_bug.cgi?id=2050228
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt
https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076

Vulnerability Database

289,599

CVE-2022-1466