keycloak-httpd-client-install is vulnerable to unauthorized file overwrite. Unsafe creation of log file in /tmp
via the --log-file
option in keycloak_cli.py
allows local attackers to overwrite other files via symbolic link.
access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index
access.redhat.com/errata/RHSA-2019:2137
access.redhat.com/security/updates/classification/#low
bugzilla.redhat.com/show_bug.cgi?id=1673716
github.com/jdennis/keycloak-httpd-client-install/commit/07f26e213196936fb328ea0c1d5a66a09d8b5440