N/A

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

N/A

对数据真实性的验证不充分

Red Hat Keycloak 信任管理问题漏洞

Red Hat Keycloak是美国红帽（Red Hat）公司的一套为现代应用和服务提供身份验证和管理功能的软件。 Red Hat Keycloak 6.0.2之前版本中存在安全漏洞。攻击者可利用该漏洞实施中间人攻击。

N/A

N/A