---

CVE-2020-27826 - log back

CVE-2020-27826 edited at 08 Dec 2020 14:10:13

Description

- A flaw was found in keycloak version prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application. + A flaw was found in keycloak versions prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.

CVE-2020-27826 edited at 08 Dec 2020 14:09:53
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Privilege escalation
Description	+ A flaw was found in keycloak version prior to 12.0.0 where it is possible to update the user's meta-data attributes using Account REST API. It is now possible for any evil user to change its own NameID attribute to impersonate the admin user for any particular application.
References	+ https://bugzilla.redhat.com/show_bug.cgi?id=1905089
Notes

CVE-2020-27826 created at 08 Dec 2020 14:05:43