CVE-2023-2585

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-2585
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2023:3883 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:3884 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:3885 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:3888 Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:3892 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-2585 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2196335 Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
History

02 Jan 2024, 18:28

Type Values Removed Values Added
First Time Redhat openshift Container Platform
Redhat openshift Container Platform For Linuxone
Redhat
Redhat enterprise Linux
Redhat openshift Container Platform For Ibm Z
Redhat single Sign-on
Redhat openshift Container Platform For Power
References () https://access.redhat.com/errata/RHSA-2023:3885 - () https://access.redhat.com/errata/RHSA-2023:3885 - Vendor Advisory
References () https://access.redhat.com/errata/RHSA-2023:3888 - () https://access.redhat.com/errata/RHSA-2023:3888 - Vendor Advisory
References () https://access.redhat.com/errata/RHSA-2023:3883 - () https://access.redhat.com/errata/RHSA-2023:3883 - Vendor Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2196335 - () https://bugzilla.redhat.com/show_bug.cgi?id=2196335 - Issue Tracking, Vendor Advisory
References () https://access.redhat.com/security/cve/CVE-2023-2585 - () https://access.redhat.com/security/cve/CVE-2023-2585 - Vendor Advisory
References () https://access.redhat.com/errata/RHSA-2023:3892 - () https://access.redhat.com/errata/RHSA-2023:3892 - Vendor Advisory
References () https://access.redhat.com/errata/RHSA-2023:3884 - () https://access.redhat.com/errata/RHSA-2023:3884 - Vendor Advisory
CWE NVD-CWE-Other
CPE cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1

21 Dec 2023, 13:22

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-21 10:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-2585

Mitre link : CVE-2023-2585

CVE.ORG link : CVE-2023-2585

JSON object : View

Products Affected

redhat

  • enterprise_linux
  • openshift_container_platform_for_ibm_z
  • openshift_container_platform_for_power
  • openshift_container_platform
  • openshift_container_platform_for_linuxone
  • single_sign-on
CWE
NVD-CWE-Other CWE-358

Improperly Implemented Security Check for Standard


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024