Authentication Bypass by Capture-replay in Keycloak

#VU49113 Authentication Bypass by Capture-replay in Keycloak

Published: 2020-12-15 | Updated: 2020-12-21

Vulnerability identifier: #VU49113

Vulnerability risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14302

CWE-ID: CWE-294

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the way Keycloak hadles authentication via external identity providers. After successful authentication the user is redirected to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. A remote attacker can perform a replay attack and bypass authentication process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Keycloak: 0.6.0 - 12.0.0

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1849584

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Keycloak