CVE-2020-35509: Improper Certificate Validation
(updated )
keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
References
- access.redhat.com/security/cve/cve-2020-35509
- bugzilla.redhat.com/show_bug.cgi?id=1912427
- github.com/advisories/GHSA-rpj2-w6fr-79hc
- github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
- github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
- github.com/keycloak/keycloak/pull/6330
- github.com/keycloak/keycloak/pull/8067
- nvd.nist.gov/vuln/detail/CVE-2020-35509
Detect and mitigate CVE-2020-35509 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →