Vulnerability Finding Name: Red Hat Keycloak Trust Email Configuration Email Change Handling Remote Issue.
Discussion: Red Hat Keycloak Trust Email Configuration Email Change Handling Remote Issue. Red Hat Keycloak contains a flaw that is triggered as the Trust Email configuration is not properly implemented. When a user updates the email in one realm that is a identity provider for another realm, the updated email address is automatically marked as verified without requiring verification by the user. This may allow an authenticated, remote attacker to lock-out or impersonate other users.
CVSS Score: 6.5
Release : 10.7
The way we have IAM configured, we are not at risk for this vulnerability. In order for IAM to be vulnerable, you must be able to create a "shared" realm, where the "customer" realm is linked as an identity provider. If you look at the Service Virtualization IAM page, we have disabled the creation of a realm through the UI, and therefore we are not vulnerable.