Lucene search
Redhat.comRH:CVE-2023-2585HistoryJun 26, 2023 - 6:48 p.m.
CVE-2023-2585
2023-06-2618:48:19
redhat.com
access.redhat.com
58
keycloak
device authorization grant
validation
attacker
client consent
oauth client
unauthorized access
0.001 Low
EPSS
Percentile
37.5%
Keycloak’s device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Related
prion
prion
Authorization
2023-12-21 10:15:00
github
github
Client Spoofing within the Keycloak Device Authorisation Grant
2023-06-30 20:29:25
cvelist
cvelist
CVE-2023-2585 Keycloak: client access via device auth request spoof
2023-12-21 09:24:16
osv
osv
Client Spoofing within the Keycloak Device Authorisation Grant
2023-06-30 20:29:25
veracode
veracode
Improper Authorization
2023-07-01 10:58:45
cve
cve
CVE-2023-2585
2023-12-21 09:24:16
nessus
nessus
redhat
redhat
