Allocation of Resources Without Limits or Throttling in Keycloak

#VU47049 Allocation of Resources Without Limits or Throttling in Keycloak

Published: 2020-09-16 | Updated: 2020-09-24

Vulnerability identifier: #VU47049

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10758

CWE-ID: CWE-770

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Keycloak: 11.0.0

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1843849

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Keycloak