CVE-2023-6563

🗓️ 14 Dec 2023 18:01:26Reported by redhatType

Keycloak memory consumption vulnerability due to large number of offline tokens

Reporter	Title	Published	Views	Family All 27
Circl	CVE-2023-6563	27 Dec 202321:16	–	circl
CNNVD	Red Hat Keycloak Security Vulnerability	14 Dec 202300:00	–	cnnvd
Cvelist	CVE-2023-6563 Keycloak: offline session token dos	14 Dec 202318:01	–	cvelist
EUVD	EUVD-2023-3108	3 Oct 202520:07	–	euvd
Github Security Blog	Allocation of Resources Without Limits in Keycloak	14 Dec 202318:30	–	github
NVD	CVE-2023-6563	14 Dec 202318:15	–	nvd
OSV	CVE-2023-6563	14 Dec 202318:15	–	osv
OSV	GHSA-54F3-C6HG-865H Allocation of Resources Without Limits in Keycloak	14 Dec 202318:30	–	osv
OSV	RHSA-2023:7854 Red Hat Security Advisory: Red Hat Single Sign-On 7.6.6 security update on RHEL 7	18 Sep 202408:44	–	osv
OSV	RHSA-2023:7855 Red Hat Security Advisory: Red Hat Single Sign-On 7.6.6 security update on RHEL 9	18 Sep 202408:44	–	osv

NVD

Node

redhat keycloakRange<21.0.0

Node

redhat single_sign-onMatch7.6

AND

redhat enterprise_linuxMatch7.0

redhat enterprise_linuxMatch8.0

redhat enterprise_linuxMatch9.0

Node

redhat single_sign-onMatch-text-only

Node

redhat openshift_container_platformMatch4.11

redhat openshift_container_platformMatch4.12

AND

redhat enterprise_linuxMatch8.0

Node

redhat openshift_container_platform_for_powerMatch4.9

redhat openshift_container_platform_for_powerMatch4.10

AND

redhat enterprise_linuxMatch8.0

Node

redhat openshift_container_platform_for_ibm_linuxoneMatch4.9

redhat openshift_container_platform_for_ibm_linuxoneMatch4.10

AND

redhat enterprise_linuxMatch8.0

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:18.0.11-2.redhat_00003.1.el7sso",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:18.0.11-2.redhat_00003.1.el8sso",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:18.0.11-2.redhat_00003.1.el9sso",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "RHEL-8 based Middleware Containers",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rh-sso-7/sso76-openshift-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "7.6-38",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:rhosemc:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "RHEL-8 based Middleware Containers",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "rh-sso-7/sso7-rhel8-operator-bundle",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "7.6.6-2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:rhosemc:1.0::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Single Sign-On 7.6.6",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "defaultStatus": "unaffected",
    "packageName": "rh-sso7-keycloak",
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7.6.6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Build of Keycloak",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak-core",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:build_keycloak:"
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2023:7855
access	www.access.redhat.com/errata/RHSA-2023:7858
access	www.access.redhat.com/errata/RHSA-2023:7857
access	www.access.redhat.com/security/cve/CVE-2023-6563
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/errata/RHSA-2023:7856
github	www.github.com/keycloak/keycloak/issues/13340
access	www.access.redhat.com/errata/RHSA-2023:7854

11 Nov 2025 15:10Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.7

EPSS0.00539

CWE-770