Bug 2254714 (CVE-2023-6841) - CVE-2023-6841 keycloak: Amount of attributes per object is not limited and it may lead to DOS
Summary: CVE-2023-6841 keycloak: Amount of attributes per object is not limited and it...
Keywords:
Status: NEW
Alias: CVE-2023-6841
Deadline: 2024-09-10
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2254713
TreeView+ depends on / blocked
 
Reported: 2023-12-15 11:58 UTC by Rohit Keshri
Modified: 2025-03-04 08:28 UTC (History)
57 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-12-15 11:58:36 UTC 
Amount of attributes per object (users, groups, roles)) are not limited and the impact is

* The application can not accept too large amount of attributes
* The application is struggling to serve the content of the attribute later for one item
* The application fails to serve a list of items when attribute values are included in the list
* It is possible to cause a denial of service when hammering the list endpoint that serves many rows with long attribute values
Note You need to log in before you can comment on or make changes to this bug.