Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-2585

Good to know:

icon
icon

Date: December 21, 2023

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

Language: Java

Severity Score

Related Resources (12)

https://github.com/keycloak/keycloak/security/advisories/GHSA-f5h4-wmp5-xhg6
https://access.redhat.com/errata/RHSA-2023:3888
https://access.redhat.com/errata/RHSA-2023:3883
https://nvd.nist.gov/vuln/detail/CVE-2023-2585
https://github.com/keycloak/keycloak/commit/04e6244c387a1bde86184635a0049537611e3915
https://access.redhat.com/errata/RHSA-2023:3885
https://access.redhat.com/errata/RHSA-2023:3884
https://access.redhat.com/security/cve/CVE-2023-2585
https://access.redhat.com/errata/RHSA-2023:3892
https://bugzilla.redhat.com/show_bug.cgi?id=2196335
https://github.com/keycloak/keycloak
https://www.mend.io/vulnerability-database/CVE-2023-2585

Severity Score

Weakness Type (CWE)

Improperly Implemented Security Check for Standard

CWE-358

Top Fix

icon

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:21.1.2;org.keycloak:keycloak-client-registration-cli:21.1.2;org.keycloak:keycloak-admin-cli:21.1.2;org.keycloak:keycloak-server-spi-private:21.1.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us