CVE-2023-2585
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
| Software | From | Fixed in |
|---|---|---|
org.keycloak / keycloak-services
|
- | 21.1.2 |
|
org.keycloak / keycloak-server-spi-private
|
- | 21.1.2 |
| redhat / single_sign-on | 7.6 | 7.6.x |
| redhat / openshift_container_platform | 4.11 | 4.11.x |
| redhat / openshift_container_platform | 4.12 | 4.12.x |
| redhat / openshift_container_platform_for_ibm_z | 4.9 | 4.9.x |
| redhat / openshift_container_platform_for_ibm_z | 4.10 | 4.10.x |
| redhat / openshift_container_platform_for_linuxone | 4.9 | 4.9.x |
| redhat / openshift_container_platform_for_linuxone | 4.10 | 4.10.x |
| redhat / openshift_container_platform_for_power | 4.9 | 4.9.x |
| redhat / openshift_container_platform_for_power | 4.10 | 4.10.x |
- https://access.redhat.com/errata/RHSA-2023:3883
- https://access.redhat.com/errata/RHSA-2023:3884
- https://access.redhat.com/errata/RHSA-2023:3885
- https://access.redhat.com/errata/RHSA-2023:3888
- https://access.redhat.com/errata/RHSA-2023:3892
- https://access.redhat.com/security/cve/CVE-2023-2585
- https://bugzilla.redhat.com/show_bug.cgi?id=2196335
- https://github.com/keycloak/keycloak/commit/04e6244c387a1bde86184635a0049537611e3915
- https://github.com/keycloak/keycloak/security/advisories/GHSA-f5h4-wmp5-xhg6
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime