Vulnerability Database
289,599
Total vulnerabilities in the database
CVE-2023-6563
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
| Software | From | Fixed in |
|---|---|---|
org.keycloak / keycloak-model-jpa
|
- | 21.0.0 |
| redhat / keycloak | - | 21.0.0 |
| redhat / single_sign-on | 7.6 | 7.6.x |
| redhat / openshift_container_platform | 4.11 | 4.11.x |
| redhat / openshift_container_platform | 4.12 | 4.12.x |
| redhat / openshift_container_platform_for_power | 4.9 | 4.9.x |
| redhat / openshift_container_platform_for_power | 4.10 | 4.10.x |
| redhat / openshift_container_platform_for_ibm_linuxone | 4.9 | 4.9.x |
| redhat / openshift_container_platform_for_ibm_linuxone | 4.10 | 4.10.x |
- https://access.redhat.com/errata/RHSA-2023:7854
- https://access.redhat.com/errata/RHSA-2023:7855
- https://access.redhat.com/errata/RHSA-2023:7856
- https://access.redhat.com/errata/RHSA-2023:7857
- https://access.redhat.com/errata/RHSA-2023:7858
- https://access.redhat.com/security/cve/CVE-2023-6563
- https://bugzilla.redhat.com/show_bug.cgi?id=2253308
- https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
- https://github.com/keycloak/keycloak/issues/13340
- https://github.com/keycloak/keycloak/pull/15463