CVE-2023-6841

Keycloak: amount of attributes per object is not limited and it may lead to dos

Description

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

Remediation

Workaround:

  • This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.40%
Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat build of Quarkus
Affected: Red Hat Red Hat Fuse 7
Affected: Red Hat Red Hat Mobile Application Platform 4
Affected: Red Hat Red Hat OpenShift Application Runtimes
Affected: Red Hat Red Hat Process Automation 7
Affected: Red Hat Red Hat Single Sign-On 7
Affected: Red Hat Red Hat support for Spring Boot
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/security/cve/CVE-2023-6841 vdb entry vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2254714 vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2023-6841?
CVE-2023-6841 has been scored as a high severity vulnerability.
How to fix CVE-2023-6841?
As a workaround for remediating CVE-2023-6841: This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited.
Is CVE-2023-6841 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-6841 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-6841?
CVE-2023-6841 affects Red Hat Red Hat build of Quarkus, Red Hat Red Hat Fuse 7, Red Hat Red Hat Mobile Application Platform 4, Red Hat Red Hat OpenShift Application Runtimes, Red Hat Red Hat Process Automation 7, Red Hat Red Hat Single Sign-On 7, Red Hat Red Hat support for Spring Boot.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.