CVE-2023-6841
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 24.0.0 | affected |
Weaknesses
- CWE-231: Improper Handling of Extra Values
Workarounds
This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2023-6841
- https://bugzilla.redhat.com/show_bug.cgi?id=2254714
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.