An unconstrained memory consumption vulnerability exists in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat keycloak |
||
redhat single_sign-on 7.6 |
||
redhat single sign-on - |
||
redhat openshift_container_platform 4.11 |
||
redhat openshift_container_platform 4.12 |
||
redhat openshift_container_platform_for_power 4.9 |
||
redhat openshift_container_platform_for_power 4.10 |
||
redhat openshift_container_platform_for_ibm_linuxone 4.9 |
||
redhat openshift_container_platform_for_ibm_linuxone 4.10 |