[MAVEN:GHSA-69FP-7C8P-CRJR] Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
Severity
High
Affected Packages
1
Fixed Packages
1
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.
| Package | Affected Version |
|---|---|
 pkg:maven/org.keycloak/keycloak-services
|
< 24.0.5 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.keycloak/keycloak-services
|
= 24.0.5 |
- ID
- MAVEN:GHSA-69FP-7C8P-CRJR
- Severity
- high
- URL
- https://github.com/advisories/GHSA-69fp-7c8p-crjr
- Published
-
2024-06-10T18:36:56
(6 weeks ago) - Modified
-
2024-06-10T18:36:57
(6 weeks ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.keycloak/keycloak-services | org.keycloak |
keycloak-services
|
< 24.0.5 | |||
| Fixed | pkg:maven/org.keycloak/keycloak-services | org.keycloak |
keycloak-services
|
= 24.0.5 |