CVE-2020-35509

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.

Published: Aug 23, 2022
Updated: May 9, 2024
CVE: CVE-2020-35509
GHSA: GHSA-rpj2-w6fr-79hc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
redhat / keycloak	12.0.0	12.0.0.x
redhat / keycloak	11.0.3	11.0.3.x
org.keycloak / keycloak-core	-	14.0.0

https://access.redhat.com/security/cve/cve-2020-35509
https://bugzilla.redhat.com/show_bug.cgi?id=1912427
https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76
https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
https://github.com/keycloak/keycloak/pull/6330
https://github.com/keycloak/keycloak/pull/8067

Vulnerability Database

CVE-2020-35509

Deep Security Visibility Without the Complexity