CVE-2020-35509 — Improper Input Validation in Redhat Keycloak

CWE-20 — Improper Input Validation CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 75.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak

Timeline

PublishedAug 23

Latest updateAug 24

Description

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5redhat/keycloak11.0.3, 12.0.0

▶NVDredhat/keycloak11.0.3, 12.0.0+1

🔴Vulnerability Details

OSV

Keycloak vulnerable to Improper Certificate Validation↗2022-08-24

▶

GHSA

Keycloak vulnerable to Improper Certificate Validation↗2022-08-24

▶

CVEList

CVE-2020-35509: A flaw was found in keycloak affecting versions 11↗2022-08-23

▶

📋Vendor Advisories

Red Hat

keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity↗2021-01-04

▶