Vulnerability DatabaseCVE-2023-2585

CVE-2023-2585:
Java vulnerability analysis and mitigation

Overview

Keycloak's device authorization grant contains a vulnerability (CVE-2023-2585) related to incorrect validation of device code and client ID. The vulnerability was discovered and disclosed in May 2023, affecting Red Hat Single Sign-On 7.6 and various versions of Red Hat OpenShift Container Platform. This security issue impacts the authentication and authorization mechanisms of the affected systems (Red Hat CVE, NVD).

Technical details

The vulnerability stems from improper validation mechanisms in Keycloak's device authorization grant system, specifically in the validation of device code and client ID. The severity of this vulnerability has been rated as Important by Red Hat Product Security, with a CVSS v3.1 base score indicating Network accessibility (AV:N), Low attack complexity (AC:L), No privileges required (PR:N), and User interaction required (UI:R) (NVD).

Impact

The vulnerability could allow an attacker to spoof a client consent request and potentially trick an authorization administrator into granting consent to a malicious OAuth client. Additionally, it could lead to unauthorized access to existing OAuth clients, compromising the security of the authentication system (Red Hat Bugzilla).

Mitigation and workarounds

Red Hat has addressed this vulnerability through several security updates released on June 27, 2023. These updates include RHSA-2023:3883 for RHEL 7, RHSA-2023:3884 for RHEL 8, RHSA-2023:3885 for RHEL 9, RHSA-2023:3888 for OpenShift Container Platform, and RHSA-2023:3892 for Red Hat Single Sign-On (Red Hat Errata).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.1

Score

Published December 21, 2023

Severity HIGH

CNA Score 3.5

Affected Technologies

Java
OpenShift Node

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 30.5

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

cpe:2.3:a:redhat:openshift_container_platform
org.keycloak:keycloak-server-spi-private

Sources

GitHub Advisory Database
- Maven Severity LOWHas FixAdded at: Jul 01, 2023
NVD
- Linux Severity HIGHHas FixAdded at: Jun 26, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22244	CRITICAL	9.1	Java	org.open-metadata:platform	No	Yes	Jan 07, 2026
CVE-2025-66518	HIGH	8.8	Java	org.apache.kyuubi:kyuubi-server_2.12	No	Yes	Jan 05, 2026
CVE-2025-61916	HIGH	7.9	Java	io.spinnaker.clouddriver:clouddriver-artifacts	No	Yes	Jan 05, 2026
CVE-2025-68280	MEDIUM	6.5	Java	org.apache.sis.core:sis-metadata	No	Yes	Jan 05, 2026
CVE-2025-66560	MEDIUM	5.9	Java	io.quarkus:quarkus-rest	No	Yes	Jan 07, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2023-2585: Java vulnerability analysis and mitigation