CVE-2020-1744: Information Exposure

March 24, 2020 (updated September 14, 2021)

When configuring a Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle these events.

References

access.redhat.com/security/cve/CVE-2020-1744
bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1744
nvd.nist.gov/vuln/detail/CVE-2020-1744

Code Behaviors & Features

Detect and mitigate CVE-2020-1744 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →