Vulnerabilities > CVE-2023-2585 - Unspecified vulnerability in Redhat products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Vulnerable Configurations
References
- https://access.redhat.com/errata/RHSA-2023:3883
- https://access.redhat.com/errata/RHSA-2023:3884
- https://access.redhat.com/errata/RHSA-2023:3885
- https://access.redhat.com/errata/RHSA-2023:3888
- https://access.redhat.com/errata/RHSA-2023:3892
- https://access.redhat.com/security/cve/CVE-2023-2585
- https://bugzilla.redhat.com/show_bug.cgi?id=2196335
- https://access.redhat.com/errata/RHSA-2023:3883
- https://bugzilla.redhat.com/show_bug.cgi?id=2196335
- https://access.redhat.com/security/cve/CVE-2023-2585
- https://access.redhat.com/errata/RHSA-2023:3892
- https://access.redhat.com/errata/RHSA-2023:3888
- https://access.redhat.com/errata/RHSA-2023:3885
- https://access.redhat.com/errata/RHSA-2023:3884