CVE-2020-35509

2022-08-2316:15:08

CWE-295

CWE-20

redhat

web.nvd.nist.gov

flaw

keycloak

expired certificate

direct-grant authenticator

time stamp validations

vulnerability

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.

Affected configurations

Nvd

Vulners

Node

redhatkeycloakMatch11.0.3

redhatkeycloakMatch12.0.0

VendorProductVersionCPE
redhatkeycloak11.0.3cpe:2.3:a:redhat:keycloak:11.0.3:*:*:*:*:*:*:*
redhatkeycloak12.0.0cpe:2.3:a:redhat:keycloak:12.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	keycloak	11.0.3	cpe:2.3:a:redhat:keycloak:11.0.3:::::::*
redhat	keycloak	12.0.0	cpe:2.3:a:redhat:keycloak:12.0.0:::::::*

CNA Affected

[
  {
    "product": "keycloak",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "11.0.3, 12.0.0"
      }
    ]
  }
]