Vulnerability Name:

CVE-2021-4133 (CCN-220193)

Assigned:2021-12-17
Published:2022-01-18
Updated:2022-09-03
Summary:A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-863
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-4133

Source: CCN
Type: Red Hat Bugzilla - Bug 2033602
(CVE-2021-4133) - CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2033602

Source: XF
Type: UNKNOWN
keycloak-cve20214133-sec-bypass(220193)

Source: CCN
Type: Keycloak GIT Repository
Incorrect authorization allows unpriviledged users to create other users #9247

Source: MISC
Type: Third Party Advisory
https://github.com/keycloak/keycloak/issues/9247

Source: MISC
Type: Third Party Advisory
https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487

Source: CCN
Type: IBM Security Bulletin 6844687 (Rational Test Automation Server)
Rational Test Automation Server is vulnerable to incorrect authorization vulnerability due to Keycloak (CVE-2021-4133)

Source: CCN
Type: Mend Vulnerability Database
CVE-2021-4133

Source: MISC
Type: Not Applicable
https://www.oracle.com/security-alerts/cpuapr2022.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:keycloak:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 15.1.1)

    • Configuration CCN 1:
  • cpe:/a:redhat:keycloak:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:keycloak:15.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    redhat keycloak *
    redhat keycloak 12.0.0
    redhat keycloak 15.1.0