CVE-2020-14302

Опубликовано: 26 нояб. 2020

Источник: redhat

CVSS3: 3.5

EPSS Низкий

Описание

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.

A flaw was found in Keycloak, where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Decision Manager 7	keycloak	Not affected
Red Hat Fuse 7	keycloak	Not affected
Red Hat OpenShift Application Runtimes	keycloak	Not affected
Red Hat Process Automation 7	keycloak	Not affected
Red Hat support for Spring Boot	keycloak	Not affected
Red Hat Single Sign-On 7.4.6		Fixed	RHSA-2021:0974	23.03.2021
Red Hat Single Sign-On 7.4 for RHEL 6	rh-sso7-keycloak	Fixed	RHSA-2021:0967	23.03.2021
Red Hat Single Sign-On 7.4 for RHEL 7	rh-sso7-keycloak	Fixed	RHSA-2021:0968	23.03.2021
Red Hat Single Sign-On 7.4 for RHEL 8	rh-sso7-keycloak	Fixed	RHSA-2021:0969	23.03.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-294

https://bugzilla.redhat.com/show_bug.cgi?id=1849584keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks

EPSS

Процентиль: 36%

0.00154

Низкий

3.5 Low

CVSS3

Связанные уязвимости

CVE-2020-14302

CVSS3: 4.9

nvd

около 5 лет назад

CVE-2020-14302

CVSS3: 4.9

debian

около 5 лет назад

A flaw was found in Keycloak before 13.0.0 where an external identity ...

GHSA-74gp-x82w-5v28

CVSS3: 4.9

github

больше 3 лет назад

EPSS

Процентиль: 36%

0.00154

Низкий

3.5 Low

CVSS3