CVE-2023-6563

CWE-770 — Allocation without Limits5 documents5 sources

Severity

7.7HIGH

EPSS

0.5%

top 32.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak Redhat Openshift Container Platform Redhat Openshift Container Platform FOR IBM Linuxone +2 more

Timeline

PublishedDec 14

Description

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 3.1 | Impact: 4.0

Affected Packages3 packages

▶NVDredhat/keycloak< 21.0.0

▶Mavenorg.keycloak:keycloak-model-jpa< 21.0.0

▶NVDredhat/single_sign-on7.6

Also affects: Openshift Container Platform 4.11, 4.12, 4.10, 4.9

🔴Vulnerability Details

CVEList

Keycloak: offline session token dos↗2023-12-14

▶

GHSA

Allocation of Resources Without Limits in Keycloak↗2023-12-14

▶

OSV

Allocation of Resources Without Limits in Keycloak↗2023-12-14

▶

📋Vendor Advisories

Red Hat

keycloak: offline session token DoS↗2023-12-14

▶