Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
redhat single_sign-on 7.6 |
||
redhat openshift_container_platform 4.11 |
||
redhat openshift_container_platform 4.12 |
||
redhat openshift_container_platform_for_ibm_z 4.9 |
||
redhat openshift_container_platform_for_ibm_z 4.10 |
||
redhat openshift_container_platform_for_linuxone 4.9 |
||
redhat openshift_container_platform_for_linuxone 4.10 |
||
redhat openshift_container_platform_for_power 4.9 |
||
redhat openshift_container_platform_for_power 4.10 |
||
redhat single sign-on - |
Vulmon