CVE-2019-3875: Improper Certificate Validation

June 27, 2019 (updated August 17, 2021)

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (‘http’ or ’ldap’) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn’t validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875
github.com/advisories/GHSA-38cg-gg9j-q9j9
nvd.nist.gov/vuln/detail/CVE-2019-3875

Code Behaviors & Features

Detect and mitigate CVE-2019-3875 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →