CVE-2019-3875

Опубликовано: 11 июн. 2019

Источник: redhat

CVSS3: 6.5

EPSS Низкий

Описание

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Fuse 7	keycloak	Will not fix
Red Hat Mobile Application Platform 4	keycloak	Out of support scope
Red Hat OpenShift Application Runtimes	keycloak	Out of support scope
Red Hat Single Sign-On 7	rh-sso7-keycloak	Affected
Red Hat support for Spring Boot	keycloak	Affected
Red Hat Runtimes Spring Boot 2.1.12	keycloak	Fixed	RHSA-2020:2366	04.06.2020
Red Hat Single Sign-On 7.3.2 zip		Fixed	RHSA-2019:1456	11.06.2019
Text-Only RHOAR		Fixed	RHSA-2020:2067	18.05.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-345->CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=1690628keycloak: missing signatures validation on CRL used to verify client certificates

EPSS

Процентиль: 15%

0.00047

Низкий

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2019-3875

CVSS3: 6.5

nvd

больше 6 лет назад

CVE-2019-3875

CVSS3: 6.5

debian

больше 6 лет назад

A vulnerability was found in keycloak before 6.0.2. The X.509 authenti ...

GHSA-38cg-gg9j-q9j9

CVSS3: 4.8

github

больше 6 лет назад

Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak

EPSS

Процентиль: 15%

0.00047

Низкий

6.5 Medium

CVSS3