CVE-2019-3875
First published: Tue Mar 19 2019(Updated: )
A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/keycloack | <7.0.0 | 7.0.0 |
| Redhat Keycloak | <6.0.2 | |
| Redhat Single Sign-on | =7.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/108748
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875
- https://issues.jboss.org/browse/KEYCLOAK-9846
- https://github.com/keycloak/keycloak/commit/996389d61b1996ac6fe2ce2264fba0616f006055
- https://github.com/keycloak/keycloak/commit/a48698caa32933458916980ab05256f56099a337
- https://github.com/keycloak/keycloak/commit/db271f7150aae914a8f256ccb48e9d1dac9d7126
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/security/cve/cve-2019-3875
- https://access.redhat.com/support/policy/updates/rhmap
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/errata/RHSA-2020:2366
- https://bugzilla.redhat.com/show_bug.cgi?id=1690628
- https://www.cve.org/CVERecord?id=CVE-2019-3875 https://nvd.nist.gov/vuln/detail/CVE-2019-3875
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-3875?
CVE-2019-3875 is a vulnerability found in Keycloak before version 6.0.2.
What is the severity of CVE-2019-3875?
CVE-2019-3875 has a severity rating of 6.5 (Medium).
How does CVE-2019-3875 affect Keycloak?
CVE-2019-3875 affects Keycloak versions before 6.0.2 and the X.509 authenticator component.
How can CVE-2019-3875 be fixed?
To fix CVE-2019-3875, upgrade Keycloak to version 6.0.2 or higher.
Where can I find more information about CVE-2019-3875?
You can find more information about CVE-2019-3875 at the following references: [link1](https://issues.jboss.org/browse/KEYCLOAK-9846), [link2](https://github.com/keycloak/keycloak/commit/996389d61b1996ac6fe2ce2264fba0616f006055), [link3](https://github.com/keycloak/keycloak/commit/a48698caa32933458916980ab05256f56099a337).
- collector/redhat-cve
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/references
- agent/author
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-3875
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/tags
- agent/event
- agent/trending
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat single sign-on
- version/redhat single sign-on/7.3
- package-manager/redhat