Keycloak: offline session token dos
CVE-2023-6563

7.7HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Single Sign-on 7.6 For Rhel 7
Red Hat Single Sign-on 7.6 For Rhel 8
Red Hat Single Sign-on 7.6 For Rhel 9
Rhel-8 Based Middleware Containers
Vendor
CVE Published:
14 December 2023

Summary

A memory consumption issue has been identified in Keycloak that can significantly impact performance in environments managing millions of offline tokens. This vulnerability can be exploited when an attacker opens the 'consents' tab in the admin User Interface after creating multiple user sessions. The UI's attempt to load extensive offline client sessions leads to excessive CPU and memory use, risking potential crashes of the system.

Affected Version(s)

Red Hat Single Sign-On 7.6 for RHEL 7 0:18.0.11-2.redhat_00003.1.el7sso

Red Hat Single Sign-On 7.6 for RHEL 8 0:18.0.11-2.redhat_00003.1.el8sso

Red Hat Single Sign-On 7.6 for RHEL 9 0:18.0.11-2.redhat_00003.1.el9sso

References

https://access.redhat.com/errata/RHSA-2023:7854
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7855
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7856
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.