CVE-2020-10686
Keycloak users may be able to remove MFA from other users' devices
4.7
MEDIUM
CVSS 3.1
EPSS 0.24%
Description
A community-only flaw was found where a malicious user can register himself and then uses the "remove devices" form to post different credential ids with the hope of removing MFA devices for other users.
How to fix CVE-2020-10686
To remediate CVE-2020-10686, upgrade the affected package to a fixed version below.
- Maven/org.keycloak:keycloak-core—upgrade to 9.0.2 or later
Is CVE-2020-10686 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |