Описание
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-770: Allocation of Resources Without Limits or Throttling vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform enforces hardening guidelines to apply the most restrictive settings required for operations, while baseline configurations maintain secure system and software states. A defense-in-depth monitoring strategy includes perimeter firewalls and endpoint protection services that detect excessive resource usage caused by malicious activity or system misconfigurations. In the event of exploitation, process isolation ensures workloads operate in separate environments, preventing any single process from overconsuming CPU or memory and degrading system performance.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Single Sign-On 7 | keycloak-services | Fix deferred | ||
| Red Hat Build of Keycloak | keycloak-services | Fixed | RHSA-2025:4336 | 29.04.2025 |
| Red Hat build of Keycloak 26.0 | rhbk/keycloak-operator-bundle | Fixed | RHSA-2025:4335 | 29.04.2025 |
| Red Hat build of Keycloak 26.0 | rhbk/keycloak-rhel9 | Fixed | RHSA-2025:4335 | 29.04.2025 |
| Red Hat build of Keycloak 26.0 | rhbk/keycloak-rhel9-operator | Fixed | RHSA-2025:4335 | 29.04.2025 |
Показывать по
Дополнительная информация
Статус:
4.9 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system.
A flaw was found in Keycloak. When the configuration uses JWT tokens f ...
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache
4.9 Medium
CVSS3