CVE-2023-6841 Keycloak: amount of attributes per object is not limited and it may lead to dos

🗓️ 10 Sep 2024 16:15:32Reported by redhatType

Keycloak denial of service vulnerabilit

Reporter	Title	Published	Views	Family All 21
IBM Security Bulletins	Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to a denial of service	15 Apr 202503:19	–	ibm
Chainguard	CVE-2023-6841 vulnerabilities	22 Mar 202510:12	–	cgr
Circl	CVE-2023-6841	15 Mar 202504:45	–	circl
CNNVD	Red Hat Keycloak 安全漏洞	10 Sep 202400:00	–	cnnvd
CVE	CVE-2023-6841	10 Sep 202416:15	–	cve
EUVD	EUVD-2024-2886	3 Oct 202520:07	–	euvd
Github Security Blog	Keycloak Denial of Service vulnerability	10 Sep 202418:30	–	github
Tenable Nessus	Keycloak < 24.0.0 DoS (CVE-2023-6841)	18 Sep 202400:00	–	nessus
NVD	CVE-2023-6841	10 Sep 202417:15	–	nvd
OSV	CGA-82W7-62FP-W77F	31 Mar 202516:02	–	osv

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "24.0.0",
        "versionType": "semver"
      }
    ],
    "packageName": "keycloak",
    "collectionURL": "https://github.com/keycloak/keycloak",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:openshift_application_runtimes:1.0"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Fuse 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_fuse:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Mobile Application Platform 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:mobile_application_platform:4"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Application Runtimes",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:openshift_application_runtimes:1.0"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Process Automation 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rh-sso7-keycloak",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat support for Spring Boot",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "keycloak",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:openshift_application_runtimes:1.0"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2023-6841

08 Nov 2025 07:10Current

CVSS 3.17.5

EPSS0.00613

CWE-231