8.1

CVE-2023-2585

Keycloak: client access via device auth request spoof

Client Spoofing within the Keycloak Device Authorisation Grant

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatSingle Sign-on Version7.6
   RedhatEnterprise Linux Version7.0
   RedhatEnterprise Linux Version8.0
   RedhatEnterprise Linux Version9.0
RedhatOpenshift Container Platform Version4.11
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.12
   RedhatEnterprise Linux Version8.0
RedhatSingle Sign-on Version- SwEditiontext-only
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version < 21.1.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.11% 0.305
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
secalert@redhat.com 3.5 0.9 2.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CWE-358 Improperly Implemented Security Check for Standard

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.