CVE-2020-10686

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10686 Issue Tracking Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:keycloak:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:8.0.2:*:*:*:*:*:*:*

Information

Published : 2020-05-04 09:15

Updated : 2022-08-05 07:32


NVD link : CVE-2020-10686

Mitre link : CVE-2020-10686

Products Affected
No products.