CVE-2020-35509 - log back

CVE-2020-35509 edited at 18 Jun 2021 13:41:45
Description
- Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation.
+ A security issue has been found in Keycloak before version 14.0.0. Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1912427
https://issues.redhat.com/browse/KEYCLOAK-16450
+ https://github.com/keycloak/keycloak/pull/8067
+ https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
CVE-2020-35509 edited at 16 Feb 2021 11:14:55
References
https://bugzilla.redhat.com/show_bug.cgi?id=1912427
+ https://issues.redhat.com/browse/KEYCLOAK-16450
CVE-2020-35509 edited at 04 Jan 2021 14:10:41
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Certificate verification bypass
Description
+ Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1912427
CVE-2020-35509 created at 04 Jan 2021 14:09:20
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes