{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6920", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "REJECTED", "dateReserved": "2023-12-18T15:01:50.951Z", "dateUpdated": "2023-12-18T16:23:43.555Z", "dateRejected": "2023-12-18T16:23:43.555Z", "assignerShortName": "redhat"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-12-18T16:23:43.555Z"}, "rejectedReasons": [{"lang": "en", "value": "This flaw was found to be a duplicate of CVE-2023-6927. Please see https://access.redhat.com/security/cve/CVE-2023-6927 for information about affected products and security errata."}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This flaw was found to be a duplicate of CVE-2023-6927. Please see https://access.redhat.com/security/cve/CVE-2023-6927 for information about affected products and security errata."}], "id": "CVE-2023-6920", "lastModified": "2023-12-18T17:15:11.673", "metrics": {}, "published": "2023-12-18T17:15:11.673", "references": [], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Rejected"}

{"acknowledgement": "Red Hat would like to thank Pontus Hanssen (Megapoint.ES) for reporting this issue.", "bugzilla": {"description": "keycloak-core: Reflected XSS via wildcard in OIDC redirect_uri. Incomplete fix of CVE-2023-6134", "id": "2255024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255024"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "CWE-75", "details": ["An incomplete fix was found in the Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode \"form_post.jwt\". Changing the response_mode parameter in the original proof of concept from \"form_post\" to \"form_post.jwt\" can bypass the security patch implemented to address CVE-2023-6134."], "mitigation": {"lang": "en:us", "value": "No current mitigation is available for this flaw."}, "name": "CVE-2023-6920", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "keycloak-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "keycloak-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2023-12-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-6920\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6920"], "statement": "This flaw was found to be a duplicate of CVE-2023-6927. Please see https://access.redhat.com/security/cve/CVE-2023-6927 for information about affected products and security errata."}