CVE-2023-2585

moderate-risk
Published 2023-12-21

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10 Low
NETWORK / LOW complexity

Affected Products (10)

Openshift Container Platform For Ibm Z
Openshift Container Platform For Ibm Z
Openshift Container Platform For Linuxone
Openshift Container Platform For Linuxone

Affected Vendors

Redhat

References (14)

Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3883
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3884
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3885
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3888
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3892
Vendor Advisory https://access.redhat.com/security/cve/CVE-2023-2585
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2196335
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3883
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3884
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3885
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3888
Vendor Advisory https://access.redhat.com/errata/RHSA-2023:3892
Vendor Advisory https://access.redhat.com/security/cve/CVE-2023-2585
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2196335
32
/ 100
moderate-risk
Severity 16/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 16/34 · Moderate