Based on the provided image, I need to extract and summarize the key information about the vulnerability CVE-2020-4030. 1. Vulnerability Overview (漏洞概述): Title: CVE-2020-4030: UMA policy bypass allows authenticated users to gain unauthorized access to victim resources. Description: It's a UMA policy bypass in the REST API endpoint. The vulnerability allows an attacker to create a UMA policy that grants access to victim resources (including victim-owned ones) by specifying a third-party client as the resource owner. This bypasses the standard validation that checks if the resource owner is the same as the client creating the policy. 2. Impact/Scope (影响范围): Status: NEW. Product: Keycloak. Component: security-mgmt. Version: Unspecified (though the bug report mentions "Version: unspecified", the context implies Keycloak). Severity: High. OS: Linux. Environment: Cloud, On-premises. Impact: Allows authenticated users to gain unauthorized access to victim resources. 3. Fix/Mitigation (修复方案): The text mentions "Requirements to exploit" and "Steps to reproduce" but doesn't explicitly list a "Fix" or "Patch" in the visible text. However, it mentions "The vulnerability validation only checks ownership for the resource ID in the um_path, while the request body accepts a 'resource' array." This implies the fix would involve validating ownership for resources in the request body as well. Wait, looking closely at the text, it doesn't explicitly state the fix code, but describes the vulnerability mechanism. I will focus on the description of the flaw as the "issue" and note that no specific fix version is listed in the visible text, but the "Requirements to exploit" section gives clues on how to prevent it (e.g., ensuring the client creating the policy is the resource owner). Actually, looking at the "Requirements to exploit" section, it says "Authenticated user with um_permission role...". Self-Correction: The prompt asks for "Fix/Mitigation". The text doesn't explicitly have a "Fix" section. I will summarize the "Requirements to exploit" as the conditions needed, and perhaps infer the fix is to validate ownership correctly. Or, I will just state that the text describes the exploit steps. Let's look for a "Fix" field. There isn't one. I will focus on the "Steps to reproduce" as the core technical detail. 4. POC/Exploit Code (POC代码): The "Steps to reproduce" section contains a detailed, step-by-step guide that acts as a POC. I need to extract the specific commands and JSON payloads. Step 1: Deploy Keycloak. Step 2: Create client . Step 3: Create UMA policy via POST. URL: Body: Step 4: Create UMA resource via same endpoint. Body: Step 5: Create UMA policy (permission) via POST. URL: Body: Step 6: Create UMA policy (validate) via POST. URL: Body: Step 7: Attach policy to resource via POST. URL: (Wait, the text says but the body suggests attaching a policy to a resource. Let's look closer. Ah, step 7 says "Attach policy to resource via POST to /realms/{realm}/authorization/policies/validate". This looks like a typo in the original text or a specific endpoint usage. The body is . Wait, step 6 created . Step 7 says "Attach policy to resource". The body in step 7 is . This looks like it's re-defining or updating. Let's re-read carefully. Actually, Step 7 says: "Attach policy to resource via POST to /realms/{realm}/authorization/policies/validate". The body is . This seems to be the critical step where the bypass happens or is set up. Wait, let's look at the "Description" text again. "The vulnerability validation only checks ownership for the resource ID in the um_path, while the request body accepts a 'resource' array." Let's look at Step 7 again. "Attach policy to resource via POST to /realms/{realm}/authorization/policies/validate". The body is . This doesn't look like attaching a policy to a resource. Usually, that's done on the resource endpoint. Let's look at the JSON in Step 7: . This looks like creating a new policy or updating an existing one. Let's look at the text description of the exploit: "The attacker can then request an RT (Requesting Party Token) for the victim resources and receive valid permissions." Let's re-read Step 7 carefully. "Attach policy to resource via POST to /realms/{realm}/authorization/policies/validate". This is likely a typo in the bug report for the endpoint. It probably means attaching the policy to the resource. But I must transcribe what is there. Actually, looking at the JSON in Step 7: . This is creating a "validate" type policy. Let's look at the JSON in Step 6: . Wait, Step 6 and Step 7 have the exact same JSON body? Step 6: "Create UMA policy (validate) via POST to /realms/{realm}/authorization/policies/validate". Body: . Step 7: "Attach policy to resource via POST to /realms/{realm}/authorization/policies/validate". Body: . This is confusing. Let's look at the image very closely. Step 6 body: . Step 7 body: . Wait, Step 7 text says "Attach policy to resource". The body shown is . Let's