Keycloak: offline session token dos
CVE-2023-6563
7.7HIGH
Key Information:
- Vendor
Red Hat
- Status
- Vendor
- CVE Published:
- 14 December 2023
What is CVE-2023-6563?
A memory consumption issue has been identified in Keycloak that can significantly impact performance in environments managing millions of offline tokens. This vulnerability can be exploited when an attacker opens the 'consents' tab in the admin User Interface after creating multiple user sessions. The UI's attempt to load extensive offline client sessions leads to excessive CPU and memory use, risking potential crashes of the system.
Affected Version(s)
Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.11-2.redhat_00003.1.el7sso
Red Hat Single Sign-On 7.6 for RHEL 8 0:18.0.11-2.redhat_00003.1.el8sso
Red Hat Single Sign-On 7.6 for RHEL 9 0:18.0.11-2.redhat_00003.1.el9sso