Execution with Unnecessary Privileges

CVE-2020-27826

Medium

4.2/10

Summary

A flaw was found in Keycloak before version 12.0.2 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-250 - Execution with Unnecessary Privileges

The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

References

Advisory
Issue
Pull request

Advisory Timeline

Published May 28, 2021

Execution with Unnecessary Privileges

CVE-2020-27826

Summary

CWE-250 - Execution with Unnecessary Privileges

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS