CVE-2023-2585
Keycloak: client access via device auth request spoof
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Productos afectados
Red Hat · Red Hat Single Sign-On 7Red Hat · Red Hat Single Sign-On 7.6 for RHEL 7Red Hat · Red Hat Single Sign-On 7.6 for RHEL 8Red Hat · Red Hat Single Sign-On 7.6 for RHEL 9Red Hat · RHEL-8 based Middleware Containers¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://access.redhat.com/errata/RHSA-2023:3883https://access.redhat.com/errata/RHSA-2023:3884https://access.redhat.com/errata/RHSA-2023:3885https://access.redhat.com/errata/RHSA-2023:3888https://access.redhat.com/errata/RHSA-2023:3892https://access.redhat.com/security/cve/CVE-2023-2585https://bugzilla.redhat.com/show_bug.cgi?id=2196335