High severityNVD Advisory· Published Sep 16, 2020· Updated Aug 4, 2024

CVE-2020-10758

Description

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-parentMaven	< 11.0.1	11.0.1

Affected products

N/a/Keycloakv5
Range: Keycloak before 11.0.1

Patches

bee4ca898977

KEYCLOAK-14872 CL DoS

https://github.com/keycloak/keycloakTomas KyjovskyJun 25, 2020via ghsa

commit

6 files changed · +85 −2

distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-clustered.cli+20 −0 modified

@@ -695,6 +695,26 @@ if (result != fixed) of /profile=$clusteredProfile/subsystem=keycloak-server/spi
     end-try
 end-if
 
+# Migrate from 8.0.0 to 9.0.5
+
+if (result == 120000 || result == undefined) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
+    echo Updating value of http listener read-timeout.
+    /profile=$clusteredProfile/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 120000 || result == undefined) of /profile=$clusteredProfile/subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
+    echo Updating value of https listener read-timeout.
+    /profile=$clusteredProfile/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 20 || result == undefined) of /profile=$clusteredProfile/subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
+    echo Updating value of datasource max-pool-size.
+    /profile=$clusteredProfile/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
+    echo
+end-if
+
 # Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)
 
 if (result != org.keycloak.keycloak-model-infinispan) of /profile=$clusteredProfile/subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)

distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-domain-standalone.cli+20 −0 modified

@@ -596,6 +596,26 @@ if (result != fixed) of /profile=$standaloneProfile/subsystem=keycloak-server/sp
     end-try
 end-if
 
+# Migrate from 8.0.0 to 9.0.5
+
+if (result == 120000 || result == undefined) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
+    echo Updating value of http listener read-timeout.
+    /profile=$standaloneProfile/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 120000 || result == undefined) of /profile=$standaloneProfile/subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
+    echo Updating value of https listener read-timeout.
+    /profile=$standaloneProfile/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 20 || result == undefined) of /profile=$standaloneProfile/subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
+    echo Updating value of datasource max-pool-size.
+    /profile=$standaloneProfile/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
+    echo
+end-if
+
 # Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)
 
 if (result != org.keycloak.keycloak-model-infinispan) of /profile=$standaloneProfile/subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)

distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone.cli+20 −0 modified

@@ -639,6 +639,26 @@ if (result != fixed) of /subsystem=keycloak-server/spi=hostname/:read-attribute(
     end-try
 end-if
 
+# Migrate from 8.0.0 to 9.0.5
+
+if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
+    echo Updating value of http listener read-timeout.
+    /subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
+    echo Updating value of https listener read-timeout.
+    /subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 20 || result == undefined) of /subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
+    echo Updating value of datasource max-pool-size.
+    /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
+    echo
+end-if
+
 # Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)
 
 if (result != org.keycloak.keycloak-model-infinispan) of /subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)

distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/migrate-standalone-ha.cli+20 −0 modified

@@ -774,6 +774,26 @@ if (result != fixed) of /subsystem=keycloak-server/spi=hostname/:read-attribute(
     end-try
 end-if
 
+# Migrate from 8.0.0 to 9.0.5
+
+if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/http-listener=default/:read-attribute(name=read-timeout)
+    echo Updating value of http listener read-timeout.
+    /subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 120000 || result == undefined) of /subsystem=undertow/server=default-server/https-listener=https/:read-attribute(name=read-timeout)
+    echo Updating value of https listener read-timeout.
+    /subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000)
+    echo
+end-if
+
+if (result == 20 || result == undefined) of /subsystem=datasources/data-source=KeycloakDS/:read-attribute(name=max-pool-size)
+    echo Updating value of datasource max-pool-size.
+    /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100)
+    echo
+end-if
+
 # Migrate from 10.0.2 to 11.0.0 (migration changes for infinispan update from 9.4.18.Final to 10.1.8.Final)
 
 if (result != org.keycloak.keycloak-model-infinispan) of /subsystem=infinispan/cache-container=keycloak:read-attribute(name=module)

wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-datasources.xml+3 −0 modified

@@ -36,6 +36,9 @@
                     <user-name>sa</user-name>
                     <password>sa</password>
                 </security>
+                <pool>
+                    <max-pool-size>100</max-pool-size>
+                </pool>
             </datasource>
             <drivers>
                 <driver name="h2" module="com.h2database.h2">

wildfly/server-subsystem/src/main/resources/subsystem-templates/keycloak-undertow.xml+2 −2 modified

@@ -28,8 +28,8 @@
         <buffer-cache name="default"/>
         <server name="default-server">
             <?AJP?>
-            <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
-            <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
+            <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" read-timeout="30000"/>
+            <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" read-timeout="30000"/>
             <host name="default-host" alias="localhost">
                 <location name="/" handler="welcome-content"/>
                 <http-invoker security-realm="ApplicationRealm"/>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-52rg-hpwq-qp56ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-10758ghsaADVISORY
bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000