CVE-2023-2585

LOW

Keycloak - Auth Bypass

Title source: llm

Description

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

References (7)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2023:3883

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2023:3884

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2023:3885

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2023:3888

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2023:3892

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2023-2585

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2196335

Scores

CVSS v3 3.5

EPSS 0.0011

EPSS Percentile 29.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Classification

CWE

CWE-358

Status published

Affected Products (12)

redhat/single_sign-on

redhat/openshift_container_platform

redhat/openshift_container_platform

redhat/openshift_container_platform_for_ibm_z

redhat/openshift_container_platform_for_ibm_z

redhat/openshift_container_platform_for_linuxone

redhat/openshift_container_platform_for_linuxone

redhat/openshift_container_platform_for_power

redhat/openshift_container_platform_for_power

redhat/single_sign-on

org.keycloak/keycloak-services < 21.1.2Maven

org.keycloak/keycloak-server-spi-private < 21.1.2Maven

Timeline

Published Dec 21, 2023

Tracked Since Feb 18, 2026