{"containers": {"cna": {"affected": [{"product": "keycloak", "vendor": "n/a", "versions": [{"status": "affected", "version": "11.0.3, 12.0.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-23T15:53:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2020-35509"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:02:08.108Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2020-35509"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-35509", "datePublished": "2022-08-23T15:53:02", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-04T17:02:08.108Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:11.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B969F109-08D5-4A8B-B40E-F3B846EC16ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:keycloak:12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "12CD4C8E-1AB9-4D25-9F59-169FB351DEE9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity."}, {"lang": "es", "value": "Se ha encontrado un fallo en keycloak afectado a versiones 11.0.3 y 12.0.0. Un certificado caducado ser\u00eda aceptado por el autenticador de concesi\u00f3n directa debido a una falta de comprobaciones de la marca de tiempo. La mayor amenaza de esta vulnerabilidad es para la confidencialidad e integridad de los datos."}], "id": "CVE-2020-35509", "lastModified": "2024-11-21T05:27:27.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-23T16:15:08.950", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2020-35509"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2020-35509"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Luca Leonardo Scorcia for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:3534", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "package": "keycloak", "product_name": "Red Hat Single Sign-On 7.4.9", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2021:3527", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el6", "package": "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el6sso", "product_name": "Red Hat Single Sign-On 7.4 for RHEL 6", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2021:3528", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el7", "package": "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el7sso", "product_name": "Red Hat Single Sign-On 7.4 for RHEL 7", "release_date": "2021-09-14T00:00:00Z"}, {"advisory": "RHSA-2021:3529", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7::el8", "package": "rh-sso7-keycloak-0:9.0.15-1.redhat_00002.1.el8sso", "product_name": "Red Hat Single Sign-On 7.4 for RHEL 8", "release_date": "2021-09-14T00:00:00Z"}], "bugzilla": {"description": "keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity", "id": "1912427", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1912427"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.", "A flaw was found in keycloak. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2020-35509", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2021-01-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-35509\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-35509"], "threat_severity": "Low"}