{
  "threat_severity" : "Low",
  "public_date" : "2023-06-26T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: client access via device auth request spoof",
    "id" : "2196335",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2196335"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-358",
  "details" : [ "Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.", "Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Single Sign-On 7",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3892",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6.4"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3883",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7",
    "package" : "rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3884",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8",
    "package" : "rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el8sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3885",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9",
    "package" : "rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el9sso"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3888",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-24"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-2585\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-2585" ],
  "name" : "CVE-2023-2585",
  "csaw" : false
}