Client access via device auth request spoof
CVE-2023-2585
8.1HIGH
Key Information:
- Vendor
Red Hat
- Status
- Vendor
- CVE Published:
- 21 December 2023
What is CVE-2023-2585?
Keycloak's device authorization grant has a flaw in its validation process, which allows attackers to potentially spoof requests. By leveraging this vulnerability, an attacker could manipulate the consent flow, leading authorization administrators to unknowingly approve access for a malicious OAuth client. This can result in unauthorized access to sensitive information or systems that rely on valid OAuth client consent.