CVE-2023-6563 – org.keycloak:keycloak-model-jpa

Package

Manager: maven
Name: org.keycloak:keycloak-model-jpa
Vulnerable Version: >=0 <21.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: 0.00304 pctl0.53151

Details

Allocation of Resources Without Limits in Keycloak An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Metadata

Created: 2023-12-14T18:30:22Z
Modified: 2023-12-29T00:14:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-54f3-c6hg-865h/GHSA-54f3-c6hg-865h.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-54f3-c6hg-865h
Finding: F067
Auto approve: 1