VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-1rh2-4svp-xffr

Essentials
Severities (44)
References (17)
Severity details (26)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1rh2-4svp-xffr
Aliases	CVE-2023-6563 GHSA-54f3-c6hg-865h
Summary	Allocation of Resources Without Limits in Keycloak An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	7.7	https://access.redhat.com/errata/RHSA-2023:7854
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2023:7854
cvssv3.1	7.7	https://access.redhat.com/errata/RHSA-2023:7855
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2023:7855
cvssv3.1	7.7	https://access.redhat.com/errata/RHSA-2023:7856
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2023:7856
cvssv3.1	7.7	https://access.redhat.com/errata/RHSA-2023:7857
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2023:7857
cvssv3.1	7.7	https://access.redhat.com/errata/RHSA-2023:7858
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2023:7858
cvssv3	7.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6563.json
cvssv3.1	7.7	https://access.redhat.com/security/cve/CVE-2023-6563
generic_textual	HIGH	https://access.redhat.com/security/cve/CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
epss	0.00304	https://api.first.org/data/v1/epss?cve=CVE-2023-6563
cvssv3.1	7.7	https://bugzilla.redhat.com/show_bug.cgi?id=2253308
generic_textual	HIGH	https://bugzilla.redhat.com/show_bug.cgi?id=2253308
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-54f3-c6hg-865h
cvssv3.1	7.7	https://github.com/keycloak/keycloak
generic_textual	HIGH	https://github.com/keycloak/keycloak
cvssv3.1	7.7	https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
generic_textual	HIGH	https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
cvssv3.1	7.7	https://github.com/keycloak/keycloak/issues/13340
generic_textual	HIGH	https://github.com/keycloak/keycloak/issues/13340
cvssv3.1	7.7	https://github.com/keycloak/keycloak/pull/15463
generic_textual	HIGH	https://github.com/keycloak/keycloak/pull/15463
cvssv3.1	7.7	https://nvd.nist.gov/vuln/detail/CVE-2023-6563
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-6563

Reference id	Reference type	URL
		https://access.redhat.com/errata/RHSA-2023:7854
		https://access.redhat.com/errata/RHSA-2023:7855
		https://access.redhat.com/errata/RHSA-2023:7856
		https://access.redhat.com/errata/RHSA-2023:7857
		https://access.redhat.com/errata/RHSA-2023:7858
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6563.json
		https://access.redhat.com/security/cve/CVE-2023-6563
		https://api.first.org/data/v1/epss?cve=CVE-2023-6563
		https://bugzilla.redhat.com/show_bug.cgi?id=2253308
		https://github.com/keycloak/keycloak
		https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
		https://github.com/keycloak/keycloak/issues/13340
		https://github.com/keycloak/keycloak/pull/15463
		https://nvd.nist.gov/vuln/detail/CVE-2023-6563
cpe:2.3:a:redhat:keycloak::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:keycloak::::::::
cpe:2.3:a:redhat:single_sign-on:-::::text-only:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
GHSA-54f3-c6hg-865h		https://github.com/advisories/GHSA-54f3-c6hg-865h

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:7854

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:7855

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:7856

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:7857

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2023:7858

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6563.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/CVE-2023-6563

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://github.com/keycloak/keycloak

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://github.com/keycloak/keycloak/issues/13340

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://github.com/keycloak/keycloak/pull/15463

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-6563

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.53212
EPSS Score	0.00304
Published At	Aug. 5, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:42:11.691264+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-54f3-c6hg-865h/GHSA-54f3-c6hg-865h.json	37.0.0