Keycloak: exposure of sensitive information in pushed authorization requests (par) kc_restart cookie

CVE-2024-4540

7.5HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Build Of Keycloak 22; Red Hat Build Of Keycloak 24; Red Hat Single Sign-on 7
Vendor: CVE Published:; 3 June 2024

Summary

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.11-2

Red Hat build of Keycloak 22 <= 22-15

Red Hat build of Keycloak 22 <= 22-18

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 7.5 - (HIGH)
Jun 12, 2024
Vulnerability published.
Jun 3, 2024
Reported to Red Hat.
May 6, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Manuel Schallar for reporting this issue.