CVE-2022-1466: 
Java vulnerability analysis and mitigation

Due to improper authorization, Red Hat Single Sign-On 7.5.0.GA was vulnerable to users performing actions that they should not be allowed to perform. The vulnerability (CVE-2022-1466) was discovered on December 7, 2021, reported to Red Hat on December 8, 2021, and publicly disclosed on February 10, 2022. The issue specifically affected Red Hat Single Sign-On and Keycloak versions prior to 17.0.1 (SYSS Advisory).

The vulnerability allowed users to add new accounts to the master realm without having the appropriate permissions. Even when a user had administrative privileges in all realms except the master realm (where only read-only permissions were granted), they could bypass these restrictions by sending direct HTTP POST requests to '/auth/admin/realms/master/users'. The vulnerability was assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allowed unauthorized users to create new accounts in the master realm, potentially compromising the security model of the Single Sign-On system. This could lead to unauthorized access and privilege escalation within the authentication system (SYSS Advisory).

The vulnerability was fixed in Red Hat Single Sign-On 7.5.1 and Keycloak version 17.0.1. The fix implemented proper authorization checks on the server before adding new users. Users are advised to upgrade to these or later versions to address the vulnerability (Red Hat Portal).