Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM4Y2ctZ2c5ai1xOWo5

Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

Permalink: https://github.com/advisories/GHSA-38cg-gg9j-q9j9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTM4Y2ctZ2c5ai1xOWo5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago


CVSS Score: 4.8
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Percentage: 0.00057
EPSS Percentile: 0.25883

Identifiers: GHSA-38cg-gg9j-q9j9, CVE-2019-3875
References: Blast Radius: 14.7

Affected Packages

maven:org.keycloak:keycloak-core
Dependent packages: 376
Dependent repositories: 1,153
Downloads:
Affected Version Ranges: <= 6.0.1
No known fixed version
All affected versions: 5.0.0, 6.0.0, 6.0.1