CVE-2020-14302: Authentication Bypass by Capture-replay

December 15, 2020 (updated December 18, 2020)

A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

References

bugzilla.redhat.com/show_bug.cgi?id=1849584
nvd.nist.gov/vuln/detail/CVE-2020-14302

Detect and mitigate CVE-2020-14302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →