CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS
Percentile
38.1%
org.keycloak:keycloak-server-spi-private and org.keycloak:keycloak-services are vulnerable to Improper Authorization. The vulnerability exists under certain pre-conditions which allows an attacker to bypass authentication mechanisms via retrieving an access token for other OAuth clients, by using a device_code which was acquired through spoof parts of the device flow.
access.redhat.com/errata/RHSA-2023:3883
access.redhat.com/errata/RHSA-2023:3884
access.redhat.com/errata/RHSA-2023:3885
access.redhat.com/errata/RHSA-2023:3888
access.redhat.com/errata/RHSA-2023:3892
access.redhat.com/security/cve/cve-2023-2585
bugzilla.redhat.com/show_bug.cgi?id=2196335
github.com/advisories/GHSA-f5h4-wmp5-xhg6
github.com/keycloak/keycloak/commit/04e6244c387a1bde86184635a0049537611e3915