CVE-2023-6563
published 2023-12-14CVE-2023-6563: An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (>…
high7.7CVSS 3.1
AVNACLPRLUINSCCNINAH
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | keycloak | < 21.0.0 | 21.0.0 |
| redhat | openshift_container_platform | — | — |
| redhat | openshift_container_platform | — | — |
| redhat | openshift_container_platform_for_ibm_linuxone | — | — |
| redhat | openshift_container_platform_for_ibm_linuxone | — | — |
| redhat | openshift_container_platform_for_power | — | — |
| redhat | openshift_container_platform_for_power | — | — |
| redhat | single_sign-on | — | — |