User Registration Vulnerability in Keycloak 8.0.2 and 9.0.0 Allows Malicious Users to Remove MFA Devices

User Registration Vulnerability in Keycloak 8.0.2 and 9.0.0 Allows Malicious Users to Remove MFA Devices

CVE-2020-10686 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

Learn more about our User Device Pen Test.