Описание
Client Spoofing within the Keycloak Device Authorisation Grant
Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.
Ссылки
- https://github.com/keycloak/keycloak/security/advisories/GHSA-f5h4-wmp5-xhg6
- https://nvd.nist.gov/vuln/detail/CVE-2023-2585
- https://github.com/keycloak/keycloak/commit/04e6244c387a1bde86184635a0049537611e3915
- https://access.redhat.com/errata/RHSA-2023:3883
- https://access.redhat.com/errata/RHSA-2023:3884
- https://access.redhat.com/errata/RHSA-2023:3885
- https://access.redhat.com/errata/RHSA-2023:3888
- https://access.redhat.com/errata/RHSA-2023:3892
- https://access.redhat.com/security/cve/CVE-2023-2585
- https://bugzilla.redhat.com/show_bug.cgi?id=2196335
Пакеты
org.keycloak:keycloak-services
< 21.1.2
21.1.2
org.keycloak:keycloak-server-spi-private
< 21.1.2
21.1.2
Связанные уязвимости
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Keycloak's device authorization grant does not correctly validate the ...
Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с неправильно реализованной проверкой безопасности для стандартных элементов, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации