Is there an official score available, independent from Red Hat's Single Sign on 7.3.5 product? (which is 8.3 here
https://access.redhat.com/security/cve/CVE-2021-4133#cve-cvss-v3).
The rationale behind my question is to assess the risk accurately for Keycloak server itself. Say I'm in situation where there are existing installations of my product that use Keycloak 12.0.4 (vulnerable). Next cycle, we'll update to 16.1, but atm it's not practical to back port 16.1 related integration changes, client libraries impact etc. Also not practical to disable the rest api since I believe the admin console uses it for local users which in my case we need, correct?
So I'm left naively wondering: ok, it's bad, one john smith can create another john smith2 that shouldn't be there. But john smith2 cannot get any roles assigned to him (I am assuming, else it would have been called out in the advisory) so presumably cannot do much with his new ID. So there is not direct elevation of privilege here, am I correct? Not without some compound layered attack with another vulnerability (which to be safe we should presume could exist, but there is no evidence of that this time, is there?).
Perhaps that is an actual practical issue though: DooS attack by blasting Keycloak with create user requests (bloating the backend db basically)?
Thanks for any additional factual info (or even opinion) you may have on the topic!