Keycloak vulnerable to Improper Certificate Validation

GHSA-rpj2-w6fr-79hc · CVE-2020-35509

Published Aug 24, 2022 · Modified Jun 30, 2025

Description

keycloak accepts an expired certificate by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.

This issue was partially fixed in version 13.0.1 and more completely fixed in version 14.0.0.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-35509
WEB https://github.com/keycloak/keycloak/pull/6330
WEB https://github.com/keycloak/keycloak/pull/8067
WEB https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
WEB https://access.redhat.com/security/cve/cve-2020-35509
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1912427
PACKAGE https://github.com/keycloak/keycloak
WEB https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes