CVE-2019-3875Improper Certificate Validation in Redhat Keycloak

CWE-295Improper Certificate ValidationCWE-345Insufficient Verification of Data Authenticity7 documents6 sources
Severity
4.8MEDIUMNVD
CNA6.5
EPSS
0.0%
top 85.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat KeycloakRED HAT KeycloakRedhat Single Sign-on
Timeline
PublishedJun 12
Latest updateOct 29

Description

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures o

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages3 packages

NVDredhat/keycloak< 6.0.2
CVEListV5red_hat/keycloak6.0.2

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
OSV
Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak2019-06-27
GHSA
Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak2019-06-27
CVEList
CVE-2019-3875: A vulnerability was found in keycloak before 62019-06-12

📋Vendor Advisories

1
Red Hat
keycloak: missing signatures validation on CRL used to verify client certificates2019-06-11

💬Community

2
Bugzilla
CVE-2019-17040 rsyslog: out-of-bounds read in contrib/pmdb2diag/pmdb2diag.c2019-10-29
Bugzilla
CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates2019-03-19
CVE-2019-3875 — Improper Certificate Validation | cvebase