Fluid Attacks Database

Description

Keycloak Denial of Service vulnerability A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-core	>=0 <24.0.0	24.0.0

Aliases

1. CVE-2023-68412. NVD-2023-68413. OSV-2023-68414. GCVE-2023-68415. ACCESS-CVE-2023-6841

References

1. https://github.com/keycloak/keycloak/issues/328372. https://bugzilla.redhat.com/show_bug.cgi?id=22547143. https://github.com/keycloak/keycloak/releases/tag/24.0.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.