VYPR
High severityNVD Advisory· Published Dec 14, 2023· Updated Nov 11, 2025

Keycloak: offline session token dos

CVE-2023-6563

Description

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-model-jpaMaven
< 21.0.021.0.0

Affected products

7
  • cpe:/a:redhat:build_keycloak:
  • Red Hat/Single Sign Oncpe-rescue4 versions
    cpe:/a:redhat:red_hat_single_sign_on:7.6.6+ 3 more
    • cpe:/a:redhat:red_hat_single_sign_on:7.6.6
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el7range: 0:18.0.11-2.redhat_00003.1.el7sso
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el8range: 0:18.0.11-2.redhat_00003.1.el8sso
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el9range: 0:18.0.11-2.redhat_00003.1.el9sso
  • Red Hat/RHEL-8 based Middleware Containersv5
    cpe:/a:redhat:rhosemc:1.0::el8
    Range: 7.6.6-2

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.