Keycloak vulnerable to Improper Certificate Validation

🗓️ 24 Aug 2022 00:00:29Reported by GitHub Advisory DatabaseType

github

github🔗 github.com👁 25 Views

Keycloak authentication vulnerability due to missing certificate validatio

Reporter	Title	Published	Views	Family All 28
ArchLinux	[ASA-202106-53] keycloak: certificate verification bypass	22 Jun 202100:00	–	archlinux
CNNVD	Red Hat Keycloak Trust Management Issues Vulnerability	4 Jan 202100:00	–	cnnvd
CVE	CVE-2020-35509	23 Aug 202215:53	–	cve
Cvelist	CVE-2020-35509	23 Aug 202215:53	–	cvelist
EUVD	EUVD-2022-6620	3 Oct 202520:07	–	euvd
NVD	CVE-2020-35509	23 Aug 202216:15	–	nvd
OSV	CVE-2020-35509	23 Aug 202216:15	–	osv
OSV	GHSA-RPJ2-W6FR-79HC Keycloak vulnerable to Improper Certificate Validation	24 Aug 202200:00	–	osv
OSV	RHSA-2021:3527 Red Hat Security Advisory: Red Hat Single Sign-On 7.4.9 security update on RHEL 6	29 Sep 202418:12	–	osv
OSV	RHSA-2021:3528 Red Hat Security Advisory: Red Hat Single Sign-On 7.4.9 security update on RHEL 7	29 Sep 202418:12	–	osv

Vulners

Node

org.keycloak keycloak-coreRange<14.0.0maven

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2020-35509
access	www.access.redhat.com/security/cve/cve-2020-35509
github	www.github.com/keycloak/keycloak/pull/6330
github	www.github.com/keycloak/keycloak/pull/8067
github	www.github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
github	www.github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java
github	www.github.com/advisories/GHSA-rpj2-w6fr-79hc

30 Jun 2025 21:46Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.15.4

EPSS0.00087

SSVC

keycloak authentication vulnerability certificate validation data confidentiality data integrity software security