Base Score

HIGH8.1

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

VectorNETWORK

Published Bysecalert@redhat.com

Published DateDec 21, 2023, 10:15

Affected Versions(2)

org.keycloak:keycloak-services(Maven)

Introduced0

Fixed21.1.2

LimitN/A

org.keycloak:keycloak-server-spi-private(Maven)

Introduced0

Fixed21.1.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.keycloak:keycloak-services(Maven)	0	21.1.2	N/A
org.keycloak:keycloak-server-spi-private(Maven)	0	21.1.2	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

HIGH8.1

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE