Keycloak Device Auth: Missing Validation Enables Client Consent Spoof
CVE-2023-2585 Published on December 21, 2023
Keycloak: client access via device auth request spoof
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Vulnerability Analysis
CVE-2023-2585 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public. 63 days later.
Weakness Type
Improperly Implemented Security Check for Standard
The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Products Associated with CVE-2023-2585
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-2585 are published in Red Hat Single Sign On:
Affected Versions
Red Hat Single Sign-On 7: Red Hat Single Sign-On 7.6 for RHEL 7:- Version 0:18.0.8-1.redhat_00001.1.el7sso and below * is unaffected.
- Version 0:18.0.8-1.redhat_00001.1.el8sso and below * is unaffected.
- Version 0:18.0.8-1.redhat_00001.1.el9sso and below * is unaffected.
- Version 7.6-24 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.