{
  "threat_severity" : "Important",
  "public_date" : "2021-12-16T17:05:00Z",
  "bugzilla" : {
    "description" : "Keycloak: Incorrect authorization allows unpriviledged users to create other users",
    "id" : "2033602",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2033602"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-863",
  "details" : [ "A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.", "A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled." ],
  "statement" : "This flaw affects only Red Hat Single Sign-on 7.5.0. Red Hat Single Sign-on 7.4.x releases are NOT affected. Fix is available for download from customer portal which can be applied on RH-SSO 7.5.0",
  "acknowledgement" : "Red Hat would like to thank Grzegorz Sobański (MLabs) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Single Sign-On 7.5 for RHEL 7",
    "release_date" : "2021-12-20T00:00:00Z",
    "advisory" : "RHSA-2021:5218",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7",
    "package" : "rh-sso7-keycloak-0:15.0.2-3.redhat_00002.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.5 for RHEL 7",
    "release_date" : "2022-01-17T00:00:00Z",
    "advisory" : "RHSA-2022:0151",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7",
    "package" : "rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.5 for RHEL 8",
    "release_date" : "2021-12-20T00:00:00Z",
    "advisory" : "RHSA-2021:5219",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8",
    "package" : "rh-sso7-keycloak-0:15.0.2-3.redhat_00002.1.el8sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.5 for RHEL 8",
    "release_date" : "2022-01-17T00:00:00Z",
    "advisory" : "RHSA-2022:0152",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8",
    "package" : "rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el8sso"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2022-01-04T00:00:00Z",
    "advisory" : "RHSA-2022:0015",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso75-openshift-rhel8:7.5-11"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2022-01-04T00:00:00Z",
    "advisory" : "RHSA-2022:0015",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso7-rhel8-operator-bundle:7.5.0-11"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2022-01-05T00:00:00Z",
    "advisory" : "RHSA-2022:0034",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso7-rhel8-operator-bundle:7.5.0-12"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2022-01-18T00:00:00Z",
    "advisory" : "RHSA-2022:0164",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso75-openshift-rhel8:7.5-15"
  }, {
    "product_name" : "RHSSO 7.5.1",
    "release_date" : "2022-01-17T00:00:00Z",
    "advisory" : "RHSA-2022:0155",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7",
    "package" : "keycloak-services"
  }, {
    "product_name" : "RHSSO 7.5 async for CVE-2021-4133",
    "release_date" : "2021-12-20T00:00:00Z",
    "advisory" : "RHSA-2021:5217",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7",
    "package" : "keycloak-services"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat A-MQ Online",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:amq_online:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-4133\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-4133\nhttps://github.com/keycloak/keycloak/issues/9247\nhttps://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487" ],
  "name" : "CVE-2021-4133",
  "mitigation" : {
    "value" : "Access to the user-creation functionality in the REST endpoint can be deactivated using CLI commands in undertow.\nrun:\nbin/jboss-cli.sh --connect\n/subsystem=undertow/configuration=filter/expression-filter=keycloakPathOverrideUsersCreateEndpoint:add( \\\nexpression=\"(regex('^/auth/admin/realms/(.*)/users$') and method(POST))-> response-code(400)\" \\\n)\n/subsystem=undertow/server=default-server/host=default-host/filter-ref=keycloakPathOverrideUsersCreateEndpoint:add()",
    "lang" : "en:us"
  },
  "csaw" : false
}