{
  "threat_severity" : "Moderate",
  "public_date" : "2020-11-04T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: user can manage resources with just \"view-profile\" role using new Account Console",
    "id" : "1875843",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1875843"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-916",
  "details" : [ "It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.", "A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission." ],
  "acknowledgement" : "This issue was discovered by Václav Muzikář (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Single Sign-On 7.4.3",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4931",
    "cpe" : "cpe:/a:redhat:jboss_single_sign_on:7.4"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 6",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4929",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el6",
    "package" : "rh-sso7-keycloak-0:9.0.9-1.redhat_00001.1.el6sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 7",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4930",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el7",
    "package" : "rh-sso7-keycloak-0:9.0.9-1.redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4932",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-keycloak-0:9.0.9-1.redhat_00001.1.el8sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.4 for RHEL 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4932",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7::el8",
    "package" : "rh-sso7-libunix-dbus-java-0:0.8.0-2.el8sso"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14389\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14389" ],
  "name" : "CVE-2020-14389",
  "csaw" : false
}