First published: Thu Jun 04 2020(Updated: )
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/keycloak | <11.0.1 | 11.0.1 |
redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el6 | 0:9.0.5-1.redhat_00001.1.el6 |
redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el7 | 0:9.0.5-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el8 | 0:9.0.5-1.redhat_00001.1.el8 |
Redhat Keycloak | <11.0.1 | |
Redhat Openshift Application Runtimes | ||
Redhat Openshift Application Runtimes | =1.0 | |
Redhat Single Sign-on | ||
Redhat Single Sign-on | =7.0 | |
Redhat Single Sign-on | =7.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID of this flaw in Keycloak is CVE-2020-10758.
The highest threat from the CVE-2020-10758 vulnerability is to system availability.
An attacker can exploit the CVE-2020-10758 vulnerability by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body.
Versions prior to 11.0.1 of Keycloak are affected by CVE-2020-10758.
To fix the CVE-2020-10758 vulnerability in Keycloak, you should update your Keycloak installation to version 11.0.1 or higher.