LOW 3.5 Maven
Client Spoofing within the Keycloak Device Authorisation Grant
GHSA-f5h4-wmp5-xhg6 · CVE-2023-2585
Published · Modified
Description
Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.
References
- WEB https://github.com/keycloak/keycloak/security/advisories/GHSA-f5h4-wmp5-xhg6
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-2585
- WEB https://github.com/keycloak/keycloak/commit/04e6244c387a1bde86184635a0049537611e3915
- WEB https://access.redhat.com/errata/RHSA-2023:3883
- WEB https://access.redhat.com/errata/RHSA-2023:3884
- WEB https://access.redhat.com/errata/RHSA-2023:3885
- WEB https://access.redhat.com/errata/RHSA-2023:3888
- WEB https://access.redhat.com/errata/RHSA-2023:3892
- WEB https://access.redhat.com/security/cve/CVE-2023-2585
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=2196335
- PACKAGE https://github.com/keycloak/keycloak
Ready to move
Start Securing
Free, no credit card | First findings in minutes