7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.6%
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the “consents” tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
CPE | Name | Operator | Version |
---|---|---|---|
org.keycloak:keycloak-model-jpa | lt | 21.0.0 |
access.redhat.com/errata/RHSA-2023:7854
access.redhat.com/errata/RHSA-2023:7855
access.redhat.com/errata/RHSA-2023:7856
access.redhat.com/errata/RHSA-2023:7857
access.redhat.com/errata/RHSA-2023:7858
access.redhat.com/security/cve/CVE-2023-6563
bugzilla.redhat.com/show_bug.cgi?id=2253308
github.com/advisories/GHSA-54f3-c6hg-865h
github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
github.com/keycloak/keycloak/issues/13340
github.com/keycloak/keycloak/pull/15463
nvd.nist.gov/vuln/detail/CVE-2023-6563
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.6%