Описание
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Ссылки
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingVendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Одновременно
Одно из
Одновременно
Одно из
EPSS
3.5 Low
CVSS3
8.1 High
CVSS3
Дефекты
Связанные уязвимости
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Keycloak's device authorization grant does not correctly validate the ...
Client Spoofing within the Keycloak Device Authorisation Grant
Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с неправильно реализованной проверкой безопасности для стандартных элементов, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
3.5 Low
CVSS3
8.1 High
CVSS3