Miggo Logo
Miggo Vulnerability Database
CVE-2020-35509

CVE-2020-35509: Keycloak vulnerable to Improper Certificate Validation

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-35509
GHSA ID
GHSA-rpj2-w6fr-79hc
EPSS Score
0.29407%
CWE
CWE-295
Published
8/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-coremaven< 14.0.014.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing timestamp validation in X509 direct grant authentication. The commit diff shows the fix added .validateTimestamps() to the validation chain in ValidateX509CertificateUsername.java. Prior to this fix, the certificate validation sequence only included checkRevocationStatus(), .validateKeyUsage(), and .validateExtendedKeyUsage(), but omitted critical time validity checks. This matches the CWE-295 description of improper certificate validation and explains why expired certificates were accepted.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

k*y*lo*k ****pts *n *xpir** **rti*i**t* *y t** *ir**t-*r*nt *ut**nti**tor ****us* o* missin* tim* st*mp v*li**tions. T** *i***st t*r**t *rom t*is vuln*r**ility is to **t* *on*i**nti*lity *n* int**rity. T*is issu* w*s p*rti*lly *ix** in v*rsion [**.*

Reasoning

T** vuln*r**ility st*mm** *rom missin* tim*st*mp v*li**tion in X*** *ir**t *r*nt *ut**nti**tion. T** *ommit *i** s*ows t** *ix ***** `.v*li**t*Tim*st*mps()` to t** v*li**tion ***in in `V*li**t*X*****rti*i**t*Us*rn*m*.j*v*`. Prior to t*is *ix, t** **r