CVE-2016-8629

Summary

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

Affected Software

VendorProductVersion RangeStatus
Red Hat, Inc.Keycloak2.4.0affected

Weaknesses

  • CWE-284: CWE-284

ADP Enrichment

CVE Program Container

Additional References

References