๐Ÿ” CVE Alert

CVE-2023-6563

HIGH 7.7

Keycloak: offline session token dos

CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

CWE CWE-770
Vendor red hat
Product red hat single sign-on 7.6 for rhel 7
Published Dec 14, 2023
Last Updated Nov 11, 2025
Stay Ahead of the Next One

Get instant alerts for red hat red hat single sign-on 7.6 for rhel 7

Be the first to know when new high vulnerabilities affecting red hat red hat single sign-on 7.6 for rhel 7 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

Red Hat / Red Hat Single Sign-On 7.6 for RHEL 7
All versions affected
Red Hat / Red Hat Single Sign-On 7.6 for RHEL 8
All versions affected
Red Hat / Red Hat Single Sign-On 7.6 for RHEL 9
All versions affected
Red Hat / RHEL-8 based Middleware Containers
All versions affected
Red Hat / RHEL-8 based Middleware Containers
All versions affected
Red Hat / Single Sign-On 7.6.6
All versions affected
Red Hat / Red Hat Build of Keycloak
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7854 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7855 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7856 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7857 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7858 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-6563 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2253308 github.com: https://github.com/keycloak/keycloak/issues/13340