Memory corruption

2023-12-1418:15:00

PRIOn knowledge base

www.prio-n.com

keycloak

memory corruption

vulnerability

offline tokens

user sessions

admin ui

excessive memory

cpu consumption

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.6%

JSON

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the “consents” tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

CPENameOperatorVersion
keycloaklt21.0.0
openshift_container_platformeq4.11
openshift_container_platformeq4.12
openshift_container_platform_for_ibm_linuxoneeq4.9
openshift_container_platform_for_ibm_linuxoneeq4.10
openshift_container_platform_for_powereq4.9
openshift_container_platform_for_powereq4.10
single_sign-oneq7.6

Name	Operator	Version
keycloak	lt	21.0.0
openshift_container_platform	eq	4.11
openshift_container_platform	eq	4.12
openshift_container_platform_for_ibm_linuxone	eq	4.9
openshift_container_platform_for_ibm_linuxone	eq	4.10
openshift_container_platform_for_power	eq	4.9
openshift_container_platform_for_power	eq	4.10
single_sign-on	eq	7.6