CVE-2019-3875

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 6.0.2

Description A vulnerability was found in the X.509 authenticator, which supports the verification of client certificates through the Certificate Revocation List (CRL). The CRL can be obtained from the URL provided in the certificate itself (CDP) or through a separately configured path. However, the CRL is often available over the network through unsecured protocols, such as 'http' or 'ldap'. As a result, Keycloak's failure to validate signatures on CRL can lead to various attacks, including man-in-the-middle attacks.

Recommendations For versions prior to 6.0.2, update to version 6.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the X.509 authenticator or verifying the signature and certification path of the CRL manually until a patch is applied.