CVE-2023-2585
Published: Dec 21, 2023
Modified: Aug 2, 2024
CVSS v3.1
3.5
Description
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
| Vendor | Product | Versions |
|---|---|---|
Red Hat | Red Hat Single Sign-On 7 | All versions |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 7 | unaffected 0:18.0.8-1.redhat_00001.1.el7sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 8 | unaffected 0:18.0.8-1.redhat_00001.1.el8sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 9 | unaffected 0:18.0.8-1.redhat_00001.1.el9sso - < * |
Red Hat | RHEL-8 based Middleware Containers | unaffected 7.6-24 - < * |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now