CVE-2023-6563

Exploit

EPSS 0.3%
Published 14.12.2023 18:15:45
Last modified 21.11.2024 08:44:06
Source secalert@redhat.com
Teams watchlist Login
Open Login

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version < 21.0.0

Redhat ≫ Single Sign-on Version7.6

   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0
   Redhat ≫ Enterprise Linux Version9.0

Redhat ≫ Single Sign-on Version- SwEditiontext-only

Redhat ≫ Openshift Container Platform Version4.11

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform Version4.12

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Power Version4.9

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Power Version4.10

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Ibm Linuxone Version4.9

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Openshift Container Platform For Ibm Linuxone Version4.10

Redhat ≫ Enterprise Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.3%	0.529

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
secalert@redhat.com	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://access.redhat.com/errata/RHSA-2023:7854

Vendor Advisory

https://access.redhat.com/errata/RHSA-2023:7855

Vendor Advisory

https://access.redhat.com/errata/RHSA-2023:7856

Vendor Advisory

https://access.redhat.com/errata/RHSA-2023:7857

Exploit

https://access.redhat.com/errata/RHSA-2023:7858

Vendor Advisory

https://access.redhat.com/security/cve/CVE-2023-6563

Vendor Advisory