CVE-2020-10686

Summary

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

Affected Software

VendorProductVersion RangeStatus
Keycloakkeycloak8.0.2affected
Keycloakkeycloak9.0.0affected

Weaknesses

  • CWE-285: CWE-285

ADP Enrichment

CVE Program Container

Additional References

References