keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Keycloak | Redhat | * | 4.0.0 (excluding) |
Red Hat Single Sign-On 7.2.4 zip | RedHat | keycloak | * |
Text-Only RHOAR | RedHat | * |