PT-2022-8928 · Red Hat · Keycloak

Luca Leonardo Scorcia

Published

2022-08-23

Updated

2025-06-30

CVE-2020-35509

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions keycloak versions 11.0.3 through 13.0.0

Description A flaw was found in the direct-grant authenticator of keycloak, where an expired certificate would be accepted due to missing time stamp validations. The highest threat from this issue is to data confidentiality and integrity.

Recommendations For keycloak versions 11.0.3 through 12.0.0, update to version 14.0.0 to fully resolve the issue. For keycloak versions 13.0.0, update to version 14.0.0 for a more complete fix, as version 13.0.1 only partially addresses the issue. As a temporary workaround, consider restricting the use of the direct-grant authenticator until a patch is applied.

Fix

Improper Certificate Validation

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-20

Related Identifiers

CVE-2020-35509

GHSA-RPJ2-W6FR-79HC

RHSA-2021:3527

RHSA-2021:3528

RHSA-2021:3529

Affected Products

Keycloak

PT-2022-8928 · Red Hat · Keycloak

CVE-2020-35509

Weakness Enumeration

Related Identifiers

Affected Products

References · 11