Keycloak: amount of attributes per object is not limited and it may lead to dos

CVE-2023-6841

7.5HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Quarkus; Red Hat Fuse 7; Red Hat Mobile Application Platform 4; Red Hat Openshift Application Runtimes
Vendor: CVE Published:; 10 September 2024

Summary

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 6.5 - (MEDIUM)
Sep 10, 2024
Vulnerability published.
Sep 10, 2024
Vulnerability Reserved.
Dec 15, 2023
Reported to Red Hat.
Dec 15, 2023

Collectors

NVD DatabaseMitre Database

.