Vulnerabilities > CVE-2023-2585 - Unspecified vulnerability in Redhat products

CVSS 8.1 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

redhat

NVD

Published: 2023-12-21

Updated: 2024-01-02

Summary

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

Vulnerable Configurations

Part	Description	Count
Application	Redhat Redhat Single Sign ON 7.6 Redhat Single Sign ON - Redhat Openshift Container Platform 4.11 Redhat Openshift Container Platform 4.12 Redhat Openshift Container Platform FOR IBM Z 4.9 Redhat Openshift Container Platform FOR IBM Z 4.10 Redhat Openshift Container Platform FOR Linuxone 4.9 Redhat Openshift Container Platform FOR Linuxone 4.10 Redhat Openshift Container Platform FOR Power 4.9 Redhat Openshift Container Platform FOR Power 4.10	10
OS	Redhat Redhat Enterprise Linux 7.0 Redhat Enterprise Linux 8.0 Redhat Enterprise Linux 9.0	3

Summary

Vulnerable Configurations

References