VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-pxvj-zt7w-aaae

Essentials
Severities (112)
References (19)
Severity details (18)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-pxvj-zt7w-aaae
Aliases	CVE-2020-35509 GHSA-rpj2-w6fr-79hc
Summary	CVE-2020-35509 keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-295	Improper Certificate Validation
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-20	Improper Input Validation

System	Score	Found at
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:3527
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:3528
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:3529
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:3534
cvssv3	4.2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-35509.json
cvssv3.1	5.4	https://access.redhat.com/security/cve/cve-2020-35509
generic_textual	MODERATE	https://access.redhat.com/security/cve/cve-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00086	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
epss	0.00192	https://api.first.org/data/v1/epss?cve=CVE-2020-35509
rhbs	low	https://bugzilla.redhat.com/show_bug.cgi?id=1912427
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-rpj2-w6fr-79hc
cvssv3.1	6.8	https://github.com/keycloak/keycloak
generic_textual	HIGH	https://github.com/keycloak/keycloak
cvssv3.1	5.4	https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76
generic_textual	MODERATE	https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76
cvssv3.1	5.4	https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
generic_textual	MODERATE	https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
cvssv3.1	5.4	https://github.com/keycloak/keycloak/pull/6330
generic_textual	MODERATE	https://github.com/keycloak/keycloak/pull/6330
cvssv3.1	5.4	https://github.com/keycloak/keycloak/pull/8067
generic_textual	MODERATE	https://github.com/keycloak/keycloak/pull/8067
cvssv3	5.4	https://nvd.nist.gov/vuln/detail/CVE-2020-35509
cvssv3	8.1	https://nvd.nist.gov/vuln/detail/CVE-2020-35509
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2020-35509
archlinux	Medium	https://security.archlinux.org/AVG-2084

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-35509.json
		https://access.redhat.com/security/cve/cve-2020-35509
		https://api.first.org/data/v1/epss?cve=CVE-2020-35509
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76
		https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb
		https://github.com/keycloak/keycloak/pull/6330
		https://github.com/keycloak/keycloak/pull/8067
1912427		https://bugzilla.redhat.com/show_bug.cgi?id=1912427
ASA-202106-53		https://security.archlinux.org/ASA-202106-53
AVG-2084		https://security.archlinux.org/AVG-2084
cpe:2.3:a:redhat:keycloak:11.0.3:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:11.0.3:::::::*
cpe:2.3:a:redhat:keycloak:12.0.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak:12.0.0:::::::*
CVE-2020-35509		https://nvd.nist.gov/vuln/detail/CVE-2020-35509
GHSA-rpj2-w6fr-79hc		https://github.com/advisories/GHSA-rpj2-w6fr-79hc
RHSA-2021:3527		https://access.redhat.com/errata/RHSA-2021:3527
RHSA-2021:3528		https://access.redhat.com/errata/RHSA-2021:3528
RHSA-2021:3529		https://access.redhat.com/errata/RHSA-2021:3529
RHSA-2021:3534		https://access.redhat.com/errata/RHSA-2021:3534

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-35509.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/security/cve/cve-2020-35509

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/commit/478319348bdfdb9b6d39122f41edf2af79f679bb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/pull/6330

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/keycloak/keycloak/pull/8067

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-35509

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-35509

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-35509

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.23916
EPSS Score	0.00054
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.