High severityOSV Advisory· Published Sep 10, 2024· Updated Nov 8, 2025
Keycloak: amount of attributes per object is not limited and it may lead to dos
CVE-2023-6841
Description
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 24.0.0 | 24.0.0 |
Affected products
20- Range: 1.0-alpha-1, 1.0-alpha-1-12062013, 1.0-alpha-2, …
- osv-coords19 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-bitnami-fipspkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-fipspkg:apk/chainguard/keycloak-fips-bitnami-compatpkg:apk/chainguard/keycloak-fips-policy-140-2pkg:apk/chainguard/keycloak-fips-policy-140-3pkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/chainguard/keycloak-iamguarded-fipspkg:apk/chainguard/keycloak-operatorpkg:apk/chainguard/keycloak-operator-compatpkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:apk/wolfi/keycloak-operatorpkg:apk/wolfi/keycloak-operator-compatpkg:maven/org.keycloak/keycloak-core
< 26.1.4-r0+ 18 more
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 26.1.4-r0
- (no CPE)range: < 24.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-w97f-w3hq-36g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6841ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6841ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/issues/32837ghsaWEB
- github.com/keycloak/keycloak/releases/tag/24.0.0ghsaWEB
News mentions
0No linked articles in our index yet.