CVE-2023-6841: Keycloak Denial of Service vulnerability

September 10, 2024 (updated November 18, 2024)

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with the introduction of the User Profile feature.

References

access.redhat.com/security/cve/CVE-2023-6841
bugzilla.redhat.com/show_bug.cgi?id=2254714
github.com/advisories/GHSA-w97f-w3hq-36g2
github.com/keycloak/keycloak
github.com/keycloak/keycloak/issues/32837
github.com/keycloak/keycloak/releases/tag/24.0.0
nvd.nist.gov/vuln/detail/CVE-2023-6841

Code Behaviors & Features

Detect and mitigate CVE-2023-6841 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →