1. Home
  2. CVE Database
  3. CVE-2023-2585
LOW · 3.5

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an au...

Vulnerability Description

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

CVSS Score

3.5

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
RedhatSingle Sign-On7.6
RedhatEnterprise Linux7.0
RedhatOpenshift Container Platform4.11
RedhatOpenshift Container Platform For Ibm Z4.9
RedhatOpenshift Container Platform For Linuxone4.9
RedhatOpenshift Container Platform For Power4.9

Related Weaknesses (CWE)

CWE-358

References

FAQ

What is CVE-2023-2585?

CVE-2023-2585 is a vulnerability with a CVSS score of 3.5 (LOW). Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an au...

How severe is CVE-2023-2585?

CVE-2023-2585 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-2585?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Ibm Z, Redhat Openshift Container Platform For Linuxone.