[MAVEN:GHSA-4VRX-8PHJ-X3MG] Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

Severity High

Affected Packages 1

Fixed Packages 1

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references.

Original Description

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request, possibly leading to an information disclosure vulnerability.

Package	Affected Version
pkg:maven/org.keycloak/keycloak-services	< 24.0.5

Package	Fixed Version
pkg:maven/org.keycloak/keycloak-services	= 24.0.5

ID: MAVEN:GHSA-4VRX-8PHJ-X3MG
Severity: high
URL: https://github.com/advisories/GHSA-4vrx-8phj-x3mg
Published: 2024-06-03T18:30:50
(3 months ago)
Modified: 2024-07-30T23:52:54
(6 weeks ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-4540
			https://access.redhat.com/security/cve/CVE-2024-4540
			https://bugzilla.redhat.com/show_bug.cgi?id=2279303
			https://access.redhat.com/errata/RHSA-2024:3566
			https://access.redhat.com/errata/RHSA-2024:3567
			https://access.redhat.com/errata/RHSA-2024:3568
			https://access.redhat.com/errata/RHSA-2024:3570
			https://access.redhat.com/errata/RHSA-2024:3572
			https://access.redhat.com/errata/RHSA-2024:3573
			https://access.redhat.com/errata/RHSA-2024:3574
			https://access.redhat.com/errata/RHSA-2024:3575
			https://access.redhat.com/errata/RHSA-2024:3576
			https://github.com/advisories/GHSA-4vrx-8phj-x3mg

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	< 24.0.5
Fixed	pkg:maven/org.keycloak/keycloak-services	org.keycloak	keycloak-services	= 24.0.5