CVE-2020-10686
4.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Summary
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Keycloak | keycloak | 8.0.2 | affected |
| Keycloak | keycloak | 9.0.0 | affected |
Weaknesses
- CWE-285: CWE-285
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.