{
  "threat_severity" : "Moderate",
  "public_date" : "2022-01-10T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: Improper authorization for master realm",
    "id" : "2050228",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-863->CWE-1220",
  "details" : [ "Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.", "A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted." ],
  "acknowledgement" : "Red Hat would like to thank Christian Dölling for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "RHSSO 7.5.1",
    "release_date" : "2022-02-07T00:00:00Z",
    "advisory" : "RHSA-2022:0449",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "rh-sso7-keycloak",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Not affected",
    "package_name" : "keycloak",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1466\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1466" ],
  "name" : "CVE-2022-1466",
  "csaw" : false
}