CVE-2020-14302

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 13.0.0

Description A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

Recommendations For versions prior to 13.0.0, update to version 13.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Keycloak endpoint that accepts the state parameter to minimize the risk of exploitation.