Vulnerability Details : CVE-2021-4133
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
Products affected by CVE-2021-4133
- cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-4133
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-4133
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2021-4133
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-4133
-
https://bugzilla.redhat.com/show_bug.cgi?id=2033602
2033602 – (CVE-2021-4133) CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other usersIssue Tracking;Third Party Advisory
-
https://github.com/keycloak/keycloak/issues/9247
Incorrect authorization allows unpriviledged users to create other users · Issue #9247 · keycloak/keycloak · GitHubThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Not Applicable
-
https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
Incorrect authorization allows unpriviledged users to create other users · Advisory · keycloak/keycloak · GitHubThird Party Advisory
Jump to