CVE-2020-14302

{"id": "CVE-2020-14302", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2020-12-15T20:15:15.573", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1849584", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-294"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-294"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same \"state\" parameter. This flaw allows a malicious user to perform replay attacks."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Keycloak versiones anteriores a 13.0.0, donde un proveedor de identidad externo, despu\u00e9s de una autenticaci\u00f3n con \u00e9xito, redirecciona un endpoint hacia Keycloak que acepta m\u00faltiples invocaciones con el uso del mismo par\u00e1metro \"state\". Este fallo permite a un usuario malicioso llevar a cabo ataques de reproducci\u00f3n"}], "lastModified": "2020-12-18T16:19:25.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C59F338-CA05-4F1D-84DA-246111636A0E", "versionEndExcluding": "13.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}