[MAVEN:GHSA-69FP-7C8P-CRJR] Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
Severity
High
Affected Packages
1
Fixed Packages
1
CVEs
1
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.
Package | Affected Version |
---|---|
pkg:maven/org.keycloak/keycloak-services | < 24.0.5 |
Package | Fixed Version |
---|---|
pkg:maven/org.keycloak/keycloak-services | = 24.0.5 |
- ID
- MAVEN:GHSA-69FP-7C8P-CRJR
- Severity
- high
- URL
- https://github.com/advisories/GHSA-69fp-7c8p-crjr
- Published
-
2024-06-10T18:36:56
(3 months ago) - Modified
-
2024-06-10T18:36:57
(3 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.keycloak/keycloak-services | org.keycloak | keycloak-services | < 24.0.5 | |||
Fixed | pkg:maven/org.keycloak/keycloak-services | org.keycloak | keycloak-services | = 24.0.5 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |