Vulnerability Description
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Keycloak | < 2.4.0 |
| Redhat | Single Sign On | 7.1 |
| Redhat | Enterprise Linux Server | 6.0 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2017-0876.htmlThird Party Advisory
- http://www.securityfocus.com/bid/97392Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038180Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:0872Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:0873Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1388988Issue Tracking
- http://rhn.redhat.com/errata/RHSA-2017-0876.htmlThird Party Advisory
- http://www.securityfocus.com/bid/97392Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038180Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:0872Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:0873Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1388988Issue Tracking
FAQ
What is CVE-2016-8629?
CVE-2016-8629 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication ...
How severe is CVE-2016-8629?
CVE-2016-8629 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8629?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Single Sign On, Redhat Enterprise Linux Server.