A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same “state” parameter. This flaw allows a malicious user to perform replay attacks.
[
{
"product": "keycloak",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "keycloak 13.0.0"
}
]
}
]