Keycloak users may be able to remove MFA from other users' devices

GHSA-9695-w6h2-jpv9 · CVE-2020-10686

Published May 24, 2022 · Modified Apr 23, 2024

Description

A community-only flaw was found where a malicious user can register himself and then uses the "remove devices" form to post different credential ids with the hope of removing MFA devices for other users.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-10686
WEB https://github.com/keycloak/keycloak/commit/5ddd605ee96b8551c7eb00b609a0b97939925b77
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes