CVE-2023-6563

Exploit

EPSS 0.3%
Veröffentlicht 14.12.2023 18:15:45
Zuletzt bearbeitet 21.11.2024 08:44:06
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version < 21.0.0

Redhat ≫ Single Sign-on Version7.6

   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0
   Redhat ≫ Enterprise Linux Version9.0

Redhat ≫ Single Sign-on Version- SwEditiontext-only

Redhat ≫ Openshift Container Platform Version4.11

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform Version4.12

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Power Version4.9

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Power Version4.10

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Ibm Linuxone Version4.9

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Ibm Linuxone Version4.10

Redhat ≫ Enterprise Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.529

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
secalert@redhat.com	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://access.redhat.com/errata/RHSA-2023:7854

Vendor Advisory

https://access.redhat.com/errata/RHSA-2023:7855

Vendor Advisory

https://access.redhat.com/errata/RHSA-2023:7856

Vendor Advisory

https://access.redhat.com/errata/RHSA-2023:7857

Exploit

https://access.redhat.com/errata/RHSA-2023:7858

Vendor Advisory

https://access.redhat.com/security/cve/CVE-2023-6563

Vendor Advisory