CVE-2023-2585 — Improperly Implemented Security Check for Standard in Redhat Openshift Container Platform

CWE-358 — Improperly Implemented Security Check for Standard5 documents5 sources

Severity

8.1HIGHNVD

CNA3.5

EPSS

0.1%

top 70.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Container Platform Redhat Openshift Container Platform FOR IBM Z Redhat Openshift Container Platform FOR Linuxone +2 more

Timeline

PublishedDec 21

Description

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages1 packages

▶NVDredhat/single_sign-on7.6

Also affects: Openshift Container Platform 4.11, 4.12, 4.10, 4.9

🔴Vulnerability Details

CVEList

Keycloak: client access via device auth request spoof↗2023-12-21

▶

OSV

Client Spoofing within the Keycloak Device Authorisation Grant↗2023-06-30

▶

GHSA

Client Spoofing within the Keycloak Device Authorisation Grant↗2023-06-30

▶

📋Vendor Advisories

Red Hat

keycloak: client access via device auth request spoof↗2023-06-26

▶