{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6841", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-12-15T12:33:39.292Z", "datePublished": "2024-09-10T16:15:32.639Z", "dateUpdated": "2024-09-17T08:14:53.292Z"}, "containers": {"cna": {"title": "Keycloak: amount of attributes per object is not limited and it may lead to dos", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Fuse 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat Mobile Application Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:mobile_application_platform:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Application Runtimes", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}, {"vendor": "Red Hat", "product": "Red Hat support for Spring Boot", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-6841", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714", "name": "RHBZ#2254714", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-10T15:45:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-231", "description": "Improper Handling of Extra Values", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-231: Improper Handling of Extra Values", "workarounds": [{"lang": "en", "value": "This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."}], "timeline": [{"lang": "en", "time": "2023-12-15T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-10T15:45:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-17T08:14:53.292Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-10T18:56:02.815080Z", "id": "CVE-2023-6841", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:56:12.783Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T18:56:02.815080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-10T18:56:08.476Z"}}], "cna": {"title": "Keycloak: amount of attributes per object is not limited and it may lead to dos", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Fuse 7", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:mobile_application_platform:4"], "vendor": "Red Hat", "product": "Red Hat Mobile Application Platform 4", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"], "vendor": "Red Hat", "product": "Red Hat OpenShift Application Runtimes", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Process Automation 7", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift_application_runtimes:1.0"], "vendor": "Red Hat", "product": "Red Hat support for Spring Boot", "packageName": "keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-12-15T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-10T15:45:00+00:00", "value": "Made public."}], "datePublic": "2024-09-10T15:45:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-6841", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714", "name": "RHBZ#2254714", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-231", "description": "Improper Handling of Extra Values"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-17T08:14:53.292Z"}, "x_redhatCweChain": "CWE-231: Improper Handling of Extra Values"}}, "cveMetadata": {"cveId": "CVE-2023-6841", "state": "PUBLISHED", "dateUpdated": "2024-09-17T08:14:53.292Z", "dateReserved": "2023-12-15T12:33:39.292Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-10T16:15:32.639Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."}], "id": "CVE-2023-6841", "lastModified": "2024-09-10T17:43:14.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-10T17:15:15.170", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2023-6841"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-231"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "keycloak: Amount of attributes per object is not limited and it may lead to DOS", "id": "2254714", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-231", "details": ["A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.", "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."], "mitigation": {"lang": "en:us", "value": "This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."}, "name": "CVE-2023-6841", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "keycloak", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "keycloak", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2024-09-10T15:45:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-6841\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6841"], "threat_severity": "Moderate"}