CVE-2020-10758
First published: Thu Jun 04 2020(Updated: )
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/keycloak | <11.0.1 | 11.0.1 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el6 | 0:9.0.5-1.redhat_00001.1.el6 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el7 | 0:9.0.5-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el8 | 0:9.0.5-1.redhat_00001.1.el8 |
| Redhat Keycloak | <11.0.1 | |
| Redhat Openshift Application Runtimes | ||
| Redhat Openshift Application Runtimes | =1.0 | |
| Redhat Single Sign-on | ||
| Redhat Single Sign-on | =7.0 | |
| Redhat Single Sign-on | =7.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1843849
- https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251
- https://issues.redhat.com/browse/KEYCLOAK-14363
- https://access.redhat.com/errata/RHSA-2020:3495
- https://access.redhat.com/errata/RHSA-2020:3496
- https://access.redhat.com/errata/RHSA-2020:3497
- https://access.redhat.com/errata/RHSA-2020:3501
- https://access.redhat.com/security/cve/cve-2020-10758
- https://access.redhat.com/errata/RHSA-2020:3539
- https://www.cve.org/CVERecord?id=CVE-2020-10758 https://nvd.nist.gov/vuln/detail/CVE-2020-10758
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this flaw in Keycloak?
The vulnerability ID of this flaw in Keycloak is CVE-2020-10758.
What is the impact of the CVE-2020-10758 vulnerability?
The highest threat from the CVE-2020-10758 vulnerability is to system availability.
How can an attacker exploit the CVE-2020-10758 vulnerability?
An attacker can exploit the CVE-2020-10758 vulnerability by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body.
Which versions of Keycloak are affected by CVE-2020-10758?
Versions prior to 11.0.1 of Keycloak are affected by CVE-2020-10758.
How do I fix the CVE-2020-10758 vulnerability in Keycloak?
To fix the CVE-2020-10758 vulnerability in Keycloak, you should update your Keycloak installation to version 11.0.1 or higher.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-10758
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat openshift application runtimes
- version/redhat openshift application runtimes/1.0
- canonical/redhat single sign-on
- version/redhat single sign-on/7.0
- version/redhat single sign-on/7.4
- package-manager/redhat