Keycloak UI DoS via Offline Session Memory Exhaustion
CVE-2023-6563 Published on December 14, 2023

Keycloak: offline session token dos
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-6563 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Timeline

2023-12-06

Reported to Red Hat.

2023-12-14

Made public. 8 days later.

Weakness Type

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Products Associated with CVE-2023-6563

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-6563 are published in these products:

Red Hat Keycloak

Red Hat Single Sign On

Red Hat Rhosemc

Red Hat Build Keycloak

Affected Versions

Red Hat Single Sign-On 7.6 for RHEL 7:

Version 0:18.0.11-2.redhat_00003.1.el7sso and below * is unaffected.

Red Hat Single Sign-On 7.6 for RHEL 8:

Version 0:18.0.11-2.redhat_00003.1.el8sso and below * is unaffected.

Red Hat Single Sign-On 7.6 for RHEL 9:

Version 0:18.0.11-2.redhat_00003.1.el9sso and below * is unaffected.

Red Hat RHEL-8 based Middleware Containers:

Version 7.6-38 and below * is unaffected.

Red Hat RHEL-8 based Middleware Containers:

Version 7.6.6-2 and below * is unaffected.

Red Hat Single Sign-On 7.6.6: Red Hat Build of Keycloak:

Exploit Probability

EPSS

0.30%

Percentile

53.26%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Keycloak UI DoS via Offline Session Memory ExhaustionCVE-2023-6563 Published on December 14, 2023

Vulnerability Analysis

Timeline

Weakness Type

Allocation of Resources Without Limits or Throttling

Products Associated with CVE-2023-6563

Affected Versions

Exploit Probability

Keycloak UI DoS via Offline Session Memory Exhaustion
CVE-2023-6563 Published on December 14, 2023