CVE-2020-14302

MEDIUM

Keycloak <13.0.0 - SSRF

Title source: llm

Description

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.

References (1)

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1849584

Scores

CVSS v3 4.9

EPSS 0.0015

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-294

Status published

Products (1)

redhat/keycloak < 13.0.0

Published Dec 15, 2020

Tracked Since Feb 18, 2026