8.1
CVE-2023-2585
- EPSS 0.11%
- Veröffentlicht 21.12.2023 10:15:34
- Zuletzt bearbeitet 21.11.2024 07:58:52
- Quelle secalert@redhat.com
- Teams Watchlist Login
- Unerledigt Login
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Single Sign-on Version7.6
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
Redhat ≫ Openshift Container Platform Version4.11
Redhat ≫ Openshift Container Platform Version4.12
Redhat ≫ Openshift Container Platform For Ibm Z Version4.9
Redhat ≫ Openshift Container Platform For Ibm Z Version4.10
Redhat ≫ Openshift Container Platform For Linuxone Version4.9
Redhat ≫ Openshift Container Platform For Linuxone Version4.10
Redhat ≫ Openshift Container Platform For Power Version4.9
Redhat ≫ Openshift Container Platform For Power Version4.10
Redhat ≫ Single Sign-on Version- SwEditiontext-only
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.304 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
|
| secalert@redhat.com | 3.5 | 0.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
|
CWE-358 Improperly Implemented Security Check for Standard
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.