Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-10758

Опубликовано: 18 авг. 2020
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

A flaw was found in Keycloak. This flaw allows an attacker to perform a denial of service attack by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body. The highest threat from this vulnerability is to system availability.

Меры по смягчению последствий

  • The possibility of this issue largely depends on the environment, specifically the load balancer or reverse proxies between the client and the server. The issue occurs when there is no load balancer in place.
  • Proper tuning of HTTP request timeout and keycloak database max pool size can mitigate this issue : bin/jboss-cli.sh --connect --commands='/subsystem=transactions:write-attribute(name=default-timeout,value=30),/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000),/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000),/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100),reload'

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Decision Manager 7keycloakNot affected
Red Hat Fuse 7keycloakNot affected
Red Hat OpenShift Application RuntimeskeycloakAffected
Red Hat Process Automation 7keycloakNot affected
Red Hat support for Spring BootkeycloakNot affected
Red Hat Single Sign-On 7.4.2FixedRHSA-2020:350118.08.2020
Red Hat Single Sign-On 7.4 for RHEL 6rh-sso7-keycloakFixedRHSA-2020:349518.08.2020
Red Hat Single Sign-On 7.4 for RHEL 7rh-sso7-keycloakFixedRHSA-2020:349618.08.2020
Red Hat Single Sign-On 7.4 for RHEL 8rh-sso7-keycloakFixedRHSA-2020:349718.08.2020
Text-Only RHOARFixedRHSA-2020:353902.09.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1843849keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body

EPSS

Процентиль: 67%
0.00529
Низкий

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-10758

CVSS3: 7.5
nvd
больше 5 лет назад

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

debian логотип

CVE-2020-10758

CVSS3: 7.5
debian
больше 5 лет назад

A vulnerability was found in Keycloak before 11.0.1 where DoS attack i ...

github логотип

GHSA-52rg-hpwq-qp56

CVSS3: 7.5
github
почти 4 года назад

Allocation of Resources Without Limits or Throttling in Keycloak

fstec логотип

BDU:2021-01264

CVSS3: 7.5
fstec
больше 5 лет назад

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с выделением неограниченной памяти, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 67%
0.00529
Низкий

7.5 High

CVSS3