CVE-2020-35509: Keycloak vulnerable to Improper Certificate Validation
(updated )
keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
This issue was partially fixed in version 13.0.1 and more completely fixed in version 14.0.0.
References
- access.redhat.com/security/cve/cve-2020-35509
- bugzilla.redhat.com/show_bug.cgi?id=1912427
- github.com/advisories/GHSA-rpj2-w6fr-79hc
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
- github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
- github.com/keycloak/keycloak/pull/6330
- github.com/keycloak/keycloak/pull/8067
- nvd.nist.gov/vuln/detail/CVE-2020-35509
Code Behaviors & Features
Detect and mitigate CVE-2020-35509 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →