Improper Authorization Affecting org.keycloak:keycloak-core package, versions [,17.0.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.08% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGKEYCLOAK-2805802
  • published29 Apr 2022
  • disclosed27 Apr 2022
  • creditChristian Dölling of SySS GmbH

Introduced: 27 Apr 2022

CVE-2022-1466  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-core to version 17.0.1 or higher.

Overview

org.keycloak:keycloak-core is an open source identity and access management solution.

Affected versions of this package are vulnerable to Improper Authorization and as a result, Red Hat Single Sign-On, a project based on keycloak, is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

CVSS Scores

version 3.1