CVE-2022-1466

Vulnerability

Red Hat Single Sign-On (RH-SSO) 7.5.0.GA contains an improper authorization vulnerability (CWE-863) that allows users to perform actions they should not be allowed to perform. Specifically, it was possible to add users to the master realm even though no respective permission was granted [1][2]. The issue resides in the authorization logic for realm management, where the server fails to properly enforce permissions for the master realm when handling user creation requests.

Exploitation

An attacker needs a valid user account with administrative privileges in all realms except the master realm, where read-only permissions are granted. Although the "add user" button is not displayed in the master realm UI, the attacker can send a direct server request (e.g., via HTTP API) to create new user accounts in the master realm [2][3]. The SySS advisory provides a proof of concept demonstrating this bypass [2].

Impact

Successful exploitation allows the attacker to create arbitrary user accounts in the master realm, which is the top-level administrative realm. This can lead to privilege escalation, unauthorized access to the entire RH-SSO deployment, and potential compromise of all realms managed by the instance [2].

Mitigation

Red Hat released a fix for this vulnerability on 2022-02-07 [2]. Users should upgrade to a patched version of RH-SSO (e.g., 7.5.1 or later). The Red Hat Bugzilla entry (CVE-2022-1466) was closed as NOTABUG, but the SySS advisory confirms the fix was provided to the vendor and released [4]. No workaround is documented; upgrading is the recommended mitigation.