漏洞标题
N/A
漏洞描述信息
在Keycloak 6.0.2之前发现了一个漏洞。X.509 认证器支持通过CRL验证客户端证书,可以从证书本身(CDP)提供的URL或经过单独配置的路径获取CRL列表。CRL通常通过未加密协议('http'或'ldap')在网络上提供,因此接收方应该验证签名并可能验证证书路径。目前Keycloak 不验证CRL中的签名,这可能导致各种攻击,如中间人攻击。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.
CVSS信息
N/A
漏洞类别
对数据真实性的验证不充分
漏洞标题
Red Hat Keycloak 信任管理问题漏洞
漏洞描述信息
Red Hat Keycloak是美国红帽(Red Hat)公司的一套为现代应用和服务提供身份验证和管理功能的软件。 Red Hat Keycloak 6.0.2之前版本中存在安全漏洞。攻击者可利用该漏洞实施中间人攻击。
CVSS信息
N/A
漏洞类别
信任管理问题