CVE-2020-27826: Execution with Unnecessary Privileges

May 28, 2021 (updated June 4, 2021)

A flaw was found in Keycloak where it is possible to update the user’s metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

References

bugzilla.redhat.com/show_bug.cgi?id=1905089
nvd.nist.gov/vuln/detail/CVE-2020-27826

Code Behaviors & Features

Detect and mitigate CVE-2020-27826 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →