Описание
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
Отчет
Red Hat has evaluated this vulnerability and it only affects the Red Hat Single Sign-On (RHSSO).
Меры по смягчению последствий
This CVE is mitigated by the 'User Profile' functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Quarkus | keycloak | Not affected | ||
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat Mobile Application Platform 4 | keycloak | Not affected | ||
| Red Hat OpenShift Application Runtimes | keycloak | Not affected | ||
| Red Hat Process Automation 7 | keycloak | Not affected | ||
| Red Hat Single Sign-On 7 | rh-sso7-keycloak | Fix deferred | ||
| Red Hat support for Spring Boot | keycloak | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
A denial of service vulnerability was found in keycloak where the amou ...
EPSS
7.5 High
CVSS3