CVE-2023-6563
Published: Dec 14, 2023
Modified: Nov 11, 2025
CVSS v3.1
7.7
Description
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
| Vendor | Product | Versions |
|---|---|---|
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 7 | unaffected 0:18.0.11-2.redhat_00003.1.el7sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 8 | unaffected 0:18.0.11-2.redhat_00003.1.el8sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 9 | unaffected 0:18.0.11-2.redhat_00003.1.el9sso - < * |
Red Hat | RHEL-8 based Middleware Containers | unaffected 7.6-38 - < * |
Red Hat | RHEL-8 based Middleware Containers | unaffected 7.6.6-2 - < * |
Red Hat | Single Sign-On 7.6.6 | All versions |
Red Hat | Red Hat Build of Keycloak | All versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now