Fedora Account System
Red Hat Associate
Red Hat Customer
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authed admin into granting consent to a malicious OAuth client, or possible unauthorized access to an existing OAuth client.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3885
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3884
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3883
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3888
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-2585