{"containers": {"cna": {"affected": [{"product": "Keycloak", "vendor": "n/a", "versions": [{"status": "affected", "version": "keycloak 15.1.1"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:57:36", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/keycloak/keycloak/issues/9247"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-4133", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Keycloak", "version": {"version_data": [{"version_value": "keycloak 15.1.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"}, {"name": "https://github.com/keycloak/keycloak/issues/9247", "refsource": "MISC", "url": "https://github.com/keycloak/keycloak/issues/9247"}, {"name": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487", "refsource": "MISC", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:16:04.238Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/keycloak/keycloak/issues/9247"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-4133", "datePublished": "2022-01-25T19:11:13", "dateReserved": "2021-12-17T00:00:00", "dateUpdated": "2024-08-03T17:16:04.238Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "A401BE6A-3227-4F4D-9FA8-35B61B86B79A", "versionEndExcluding": "15.1.1", "versionStartIncluding": "12.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled."}, {"lang": "es", "value": "Se ha encontrado un fallo en Keycloak en las versiones a partir de la 12.0.0 y anteriores hasta 15.1.1, que permite a un atacante con cualquier cuenta de usuario existente crear nuevas cuentas de usuario por defecto por medio de la API REST administrativa incluso cuando el registro de nuevos usuarios est\u00e1 deshabilitado"}], "id": "CVE-2021-4133", "lastModified": "2022-09-03T03:33:21.120", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-25T20:15:08.607", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/keycloak/keycloak/issues/9247"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487"}, {"source": "secalert@redhat.com", "tags": ["Not Applicable"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Grzegorz Soba\u0144ski (MLabs) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:5218", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7", "package": "rh-sso7-keycloak-0:15.0.2-3.redhat_00002.1.el7sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 7", "release_date": "2021-12-20T00:00:00Z"}, {"advisory": "RHSA-2022:0151", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7", "package": "rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 7", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2021:5219", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8", "package": "rh-sso7-keycloak-0:15.0.2-3.redhat_00002.1.el8sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 8", "release_date": "2021-12-20T00:00:00Z"}, {"advisory": "RHSA-2022:0152", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8", "package": "rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 8", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2022:0015", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "redhat-sso-7-sso75-openshift-rhel8-container-7.5-11", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-01-04T00:00:00Z"}, {"advisory": "RHSA-2022:0015", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.0-11", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-01-04T00:00:00Z"}, {"advisory": "RHSA-2022:0034", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.0-12", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-01-05T00:00:00Z"}, {"advisory": "RHSA-2022:0164", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "redhat-sso-7-sso75-openshift-rhel8-container-7.5-15", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-01-18T00:00:00Z"}, {"advisory": "RHSA-2022:0155", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "package": "keycloak-services", "product_name": "RHSSO 7.5.1", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2021:5217", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "package": "keycloak-services", "product_name": "RHSSO 7.5 async for CVE-2021-4133", "release_date": "2021-12-20T00:00:00Z"}], "bugzilla": {"description": "Keycloak: Incorrect authorization allows unpriviledged users to create other users", "id": "2033602", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "status": "verified"}, "cwe": "CWE-863", "details": ["A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.", "A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled."], "mitigation": {"lang": "en:us", "value": "Access to the user-creation functionality in the REST endpoint can be deactivated using CLI commands in undertow.\nrun:\nbin/jboss-cli.sh --connect\n/subsystem=undertow/configuration=filter/expression-filter=keycloakPathOverrideUsersCreateEndpoint:add( \\\nexpression=\"(regex('^/auth/admin/realms/(.*)/users$') and method(POST))-> response-code(400)\" \\\n)\n/subsystem=undertow/server=default-server/host=default-host/filter-ref=keycloakPathOverrideUsersCreateEndpoint:add()"}, "name": "CVE-2021-4133", "package_state": [{"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Not affected", "package_name": "keycloak-services", "product_name": "Red Hat A-MQ Online"}], "public_date": "2021-12-16T17:05:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-4133\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-4133\nhttps://github.com/keycloak/keycloak/issues/9247\nhttps://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487"], "statement": "This flaw affects only Red Hat Single Sign-on 7.5.0. Red Hat Single Sign-on 7.4.x releases are NOT affected. Fix is available for download from customer portal which can be applied on RH-SSO 7.5.0", "threat_severity": "Important", "upstream_fix": "keycloak 15.1.1, keycloak 16.0.0"}