{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6563", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-12-06T18:47:35.594Z", "datePublished": "2023-12-14T18:01:26.005Z", "dateUpdated": "2024-09-18T08:33:37.699Z"}, "containers": {"cna": {"title": "Keycloak: offline session token dos", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.11-2.redhat_00003.1.el7sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.11-2.redhat_00003.1.el8sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "versions": [{"version": "0:18.0.11-2.redhat_00003.1.el9sso", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso76-openshift-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.6-38", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rh-sso-7/sso7-rhel8-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "7.6.6-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "Single Sign-On 7.6.6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "keycloak-core", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7.6.6"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7854", "name": "RHSA-2023:7854", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7855", "name": "RHSA-2023:7855", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7856", "name": "RHSA-2023:7856", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7857", "name": "RHSA-2023:7857", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7858", "name": "RHSA-2023:7858", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-6563", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308", "name": "RHBZ#2253308", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/keycloak/keycloak/issues/13340"}], "datePublic": "2023-12-14T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling", "workarounds": [{"lang": "en", "value": "There are three main options to prevent exploitation:\n1) If you are using a reverse proxy, block the consents URL.\n2) This option is less effective: remove the consents application tab from the account console theme.\n3) This option has a significant negative impact on end users: entirely disable offline user profiles."}], "timeline": [{"lang": "en", "time": "2023-12-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-12-14T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-18T08:33:37.699Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:35:14.663Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7854", "name": "RHSA-2023:7854", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7855", "name": "RHSA-2023:7855", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7856", "name": "RHSA-2023:7856", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7857", "name": "RHSA-2023:7857", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7858", "name": "RHSA-2023:7858", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-6563", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308", "name": "RHBZ#2253308", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/keycloak/keycloak/issues/13340", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD663F41-3B6D-4AF0-9ABA-1F3BF292C632", "versionEndExcluding": "21.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*", "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*", "matchCriteriaId": "8C519B1A-1CD6-426C-9339-F28E4FEF581B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*", "matchCriteriaId": "91EE3858-A648-44B4-B282-8F808D88D3B9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de consumo de memoria sin restricciones en Keycloak. Se puede activar en entornos que tienen millones de tokens fuera de l\u00ednea (> 500.000 usuarios, cada uno con al menos 2 sesiones guardadas). Si un atacante crea dos o m\u00e1s sesiones de usuario y luego abre la pesta\u00f1a \"consentimientos\" de la interfaz de usuario del administrador, la interfaz de usuario intenta cargar una gran cantidad de sesiones de clientes fuera de l\u00ednea, lo que genera un consumo excesivo de memoria y CPU, lo que potencialmente podr\u00eda bloquear todo el sistema."}], "id": "CVE-2023-6563", "lastModified": "2023-12-27T18:49:44.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-12-14T18:15:45.540", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7854"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7855"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7856"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "https://access.redhat.com/errata/RHSA-2023:7857"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7858"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-6563"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://github.com/keycloak/keycloak/issues/13340"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7854", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.11-2.redhat_00003.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7856", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.11-2.redhat_00003.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7855", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.11-2.redhat_00003.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7857", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-38", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7857", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso7-rhel8-operator-bundle:7.6.6-2", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7858", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.6", "package": "keycloak-core", "product_name": "Single Sign-On 7.6.6", "release_date": "2023-12-14T00:00:00Z"}], "bugzilla": {"description": "keycloak: offline session token DoS", "id": "2253308", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.", "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system."], "mitigation": {"lang": "en:us", "value": "There are three main options to prevent exploitation:\n1) If you are using a reverse proxy, block the consents URL.\n2) This option is less effective: remove the consents application tab from the account console theme.\n3) This option has a significant negative impact on end users: entirely disable offline user profiles."}, "name": "CVE-2023-6563", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Will not fix", "package_name": "keycloak-core", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2023-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-6563\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6563\nhttps://github.com/keycloak/keycloak/issues/13340"], "statement": "While this vulnerability can enable complete compromise of system availability, it is not possible to be triggered in every environment. The impact is rated as Important due to several preconditions (number of users and how many sessions each user has) which are beyond an attacker's control.", "threat_severity": "Important", "upstream_fix": "keycloak 21.0.0"}