Описание
Keycloak vulnerable to Improper Certificate Validation
keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
This issue was partially fixed in version 13.0.1 and more completely fixed in version 14.0.0.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-35509
- https://github.com/keycloak/keycloak/pull/6330
- https://github.com/keycloak/keycloak/pull/8067
- https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
- https://access.redhat.com/security/cve/cve-2020-35509
- https://bugzilla.redhat.com/show_bug.cgi?id=1912427
- https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76
Пакеты
org.keycloak:keycloak-core
< 14.0.0
14.0.0
Связанные уязвимости
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An ...