CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS
Percentile
38.1%
Under certain pre-conditions the vulnerability allows an attacker to spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.
access.redhat.com/errata/RHSA-2023:3883
access.redhat.com/errata/RHSA-2023:3884
access.redhat.com/errata/RHSA-2023:3885
access.redhat.com/errata/RHSA-2023:3888
access.redhat.com/errata/RHSA-2023:3892
access.redhat.com/security/cve/CVE-2023-2585
bugzilla.redhat.com/show_bug.cgi?id=2196335
github.com/keycloak/keycloak
github.com/keycloak/keycloak/commit/04e6244c387a1bde86184635a0049537611e3915
github.com/keycloak/keycloak/security/advisories/GHSA-f5h4-wmp5-xhg6
nvd.nist.gov/vuln/detail/CVE-2023-2585