CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:7854	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7855	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7856	Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7857	Exploit
https://access.redhat.com/errata/RHSA-2023:7858	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-6563	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2253308	Issue Tracking
https://github.com/keycloak/keycloak/issues/13340	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 3 (hide)

cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

OR	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

History

27 Dec 2023, 18:49

Type	Values Removed	Values Added
CPE		cpe:2.3:a:redhat:keycloak:::::::: cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::* cpe:2.3:a:redhat:single_sign-on:7.6:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::* cpe:2.3:a:redhat:single_sign-on:-::::text-only::: cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.7
CWE		CWE-770
References	~~() https://access.redhat.com/errata/RHSA-2023:7857 -~~	() https://access.redhat.com/errata/RHSA-2023:7857 - Exploit
References	~~() https://access.redhat.com/errata/RHSA-2023:7858 -~~	() https://access.redhat.com/errata/RHSA-2023:7858 - Vendor Advisory
References	~~() https://access.redhat.com/errata/RHSA-2023:7854 -~~	() https://access.redhat.com/errata/RHSA-2023:7854 - Vendor Advisory
References	~~() https://access.redhat.com/security/cve/CVE-2023-6563 -~~	() https://access.redhat.com/security/cve/CVE-2023-6563 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2253308 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2253308 - Issue Tracking
References	~~() https://access.redhat.com/errata/RHSA-2023:7856 -~~	() https://access.redhat.com/errata/RHSA-2023:7856 - Vendor Advisory
References	~~() https://github.com/keycloak/keycloak/issues/13340 -~~	() https://github.com/keycloak/keycloak/issues/13340 - Issue Tracking
References	~~() https://access.redhat.com/errata/RHSA-2023:7855 -~~	() https://access.redhat.com/errata/RHSA-2023:7855 - Vendor Advisory

14 Dec 2023, 22:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2023:7857 - () https://access.redhat.com/errata/RHSA-2023:7858 - () https://access.redhat.com/errata/RHSA-2023:7854 - () https://access.redhat.com/errata/RHSA-2023:7856 - () https://access.redhat.com/errata/RHSA-2023:7855 -

14 Dec 2023, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-14 18:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-6563

Mitre link : CVE-2023-6563

CVE.ORG link : CVE-2023-6563

JSON object : View

Products Affected

redhat

openshift_container_platform
enterprise_linux
openshift_container_platform_for_ibm_linuxone
single_sign-on
keycloak
openshift_container_platform_for_power

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.7 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

JSON object

Attach tags to CVE-2023-6563

7.7^/10

Attach tags to `CVE-2023-6563`