CVE-2023-2585
Keycloak: client access via device auth request spoof
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Produtos afetados
Red Hat · Red Hat Single Sign-On 7Red Hat · Red Hat Single Sign-On 7.6 for RHEL 7Red Hat · Red Hat Single Sign-On 7.6 for RHEL 8Red Hat · Red Hat Single Sign-On 7.6 for RHEL 9Red Hat · RHEL-8 based Middleware ContainersQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://access.redhat.com/errata/RHSA-2023:3883https://access.redhat.com/errata/RHSA-2023:3884https://access.redhat.com/errata/RHSA-2023:3885https://access.redhat.com/errata/RHSA-2023:3888https://access.redhat.com/errata/RHSA-2023:3892https://access.redhat.com/security/cve/CVE-2023-2585https://bugzilla.redhat.com/show_bug.cgi?id=2196335