CVE-2020-35509 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Certificate verification bypass
Description	A security issue has been found in Keycloak before version 14.0.0. Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2084	keycloak	13.0.1-1	14.0.0-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
22 Jun 2021	ASA-202106-53	AVG-2084	keycloak	Medium	certificate verification bypass

References
https://bugzilla.redhat.com/show_bug.cgi?id=1912427 https://issues.redhat.com/browse/KEYCLOAK-16450 https://github.com/keycloak/keycloak/pull/8067 https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb

References

https://bugzilla.redhat.com/show_bug.cgi?id=1912427
https://issues.redhat.com/browse/KEYCLOAK-16450
https://github.com/keycloak/keycloak/pull/8067
https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb