CVE-2023-2585

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description The issue is related to the improper implementation of security checks for standard elements in Keycloak, a software tool for identity and access management. This can allow a remote attacker to gain unauthorized access to protected information. Specifically, Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse this missing validation to spoof a client consent request, potentially tricking an authorization admin into granting consent to a malicious OAuth client or allowing unauthorized access to an existing OAuth client. Under certain conditions, the vulnerability enables an attacker to spoof parts of the device flow and use a device code to retrieve an access token for other OAuth clients.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.