CVE-2016-8629 — Moderate severity vulnerability that affects org.keycloak:keycloak-core

Description

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.

How to fix CVE-2016-8629

To remediate CVE-2016-8629, upgrade the affected package to a fixed version below.

Maven/org.keycloak:keycloak-core—upgrade to 2.4.0 or later

Is CVE-2016-8629 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.4.0

References (8)

ADVISORYgithub.com/advisories/GHSA-778x-2mqv-w6xw
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-8629
WEBrhn.redhat.com/errata/RHSA-2017-0876.html
WEBaccess.redhat.com/errata/RHSA-2017:0872
WEB