CVE-2016-8629

Severity CVSS v4.0:
Pending analysis
Type:
CWE-284 Improper Access Control
Publication date:
12/03/2018
Last modified:
17/06/2026

Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:* 2.4.0 (excluding)
cpe:2.3:a:redhat:single_sign_on:7.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign_on:7.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*