{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-6841", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-12-15T12:33:39.292Z", "datePublished": "2024-09-10T16:15:32.639Z", "dateUpdated": "2025-11-08T07:10:39.283Z"}, "containers": {"cna": {"title": "Keycloak: amount of attributes per object is not limited and it may lead to dos", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "24.0.0", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat Mobile Application Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:mobile_application_platform:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Application Runtimes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rh-sso7-keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}, {"vendor": "Red Hat", "product": "Red Hat support for Spring Boot", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-6841", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714", "name": "RHBZ#2254714", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-10T15:45:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-231", "description": "Improper Handling of Extra Values", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-231: Improper Handling of Extra Values", "workarounds": [{"lang": "en", "value": "This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."}], "timeline": [{"lang": "en", "time": "2023-12-15T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-10T15:45:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-08T07:10:39.283Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T20:20:35.831984Z", "id": "CVE-2023-6841", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T20:20:45.372Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-01T20:20:35.831984Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:56:08.476Z"}}], "cna": {"title": "Keycloak: amount of attributes per object is not limited and it may lead to dos", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "24.0.0", "versionType": "semver"}], "packageName": "keycloak", "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:mobile_application_platform:4"], "vendor": "Red Hat", "product": "Red Hat Mobile Application Platform 4", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"], "vendor": "Red Hat", "product": "Red Hat OpenShift Application Runtimes", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Process Automation 7", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "rh-sso7-keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"], "vendor": "Red Hat", "product": "Red Hat support for Spring Boot", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-12-15T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-10T15:45:00+00:00", "value": "Made public."}], "datePublic": "2024-09-10T15:45:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-6841", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714", "name": "RHBZ#2254714", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-231", "description": "Improper Handling of Extra Values"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-08T07:10:39.283Z"}, "x_redhatCweChain": "CWE-231: Improper Handling of Extra Values"}}, "cveMetadata": {"cveId": "CVE-2023-6841", "state": "PUBLISHED", "dateUpdated": "2025-11-08T07:10:39.283Z", "dateReserved": "2023-12-15T12:33:39.292Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-10T16:15:32.639Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*", "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio en keycloak, donde la cantidad de atributos por objeto no est\u00e1 limitada; un atacante al enviar solicitudes HTTP repetidas podr\u00eda causar un agotamiento de recursos cuando la aplicaci\u00f3n env\u00eda filas con valores de atributos largos."}], "id": "CVE-2023-6841", "lastModified": "2024-10-01T14:15:05.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2024-09-10T17:15:15.170", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-6841"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-231"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "keycloak: Amount of attributes per object is not limited and it may lead to DOS", "id": "2254714", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-231", "details": ["A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.", "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."], "mitigation": {"lang": "en:us", "value": "This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."}, "name": "CVE-2023-6841", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "keycloak", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2024-09-10T15:45:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-6841\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6841"], "statement": "Red Hat has evaluated this vulnerability and it only affects the Red Hat Single Sign-On (RHSSO).", "threat_severity": "Moderate"}

{}