Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat single sign-on 7.6 |
||
redhat openshift container platform 4.11 |
||
redhat openshift container platform 4.12 |
||
redhat openshift container platform for ibm z 4.9 |
||
redhat openshift container platform for ibm z 4.10 |
||
redhat openshift container platform for linuxone 4.9 |
||
redhat openshift container platform for linuxone 4.10 |
||
redhat openshift container platform for power 4.9 |
||
redhat openshift container platform for power 4.10 |
||
redhat single sign-on - |