GitHub Advisory DatabaseGHSA-54F3-C6HG-865HAllocation of Resources Without Limits in Keycloak
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.6%
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the “consents” tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.keycloak:keycloak-model-jpa | lt | 21.0.0 |
References
access.redhat.com/errata/RHSA-2023:7854
access.redhat.com/errata/RHSA-2023:7855
access.redhat.com/errata/RHSA-2023:7856
access.redhat.com/errata/RHSA-2023:7857
access.redhat.com/errata/RHSA-2023:7858
access.redhat.com/security/cve/CVE-2023-6563
bugzilla.redhat.com/show_bug.cgi?id=2253308
github.com/advisories/GHSA-54f3-c6hg-865h
github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
github.com/keycloak/keycloak/issues/13340
github.com/keycloak/keycloak/pull/15463
nvd.nist.gov/vuln/detail/CVE-2023-6563
Related
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.6%