[MAVEN:GHSA-69FP-7C8P-CRJR] Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

Severity High
Affected Packages 1
Fixed Packages 1

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.

Package Affected Version
pkg:maven/org.keycloak/keycloak-services < 24.0.5
Package Fixed Version
pkg:maven/org.keycloak/keycloak-services = 24.0.5
ID
MAVEN:GHSA-69FP-7C8P-CRJR
Severity
high
URL
https://github.com/advisories/GHSA-69fp-7c8p-crjr
Published
2024-06-10T18:36:56
(13 days ago)
Modified
2024-06-10T18:36:57
(13 days ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.keycloak/keycloak-services org.keycloak keycloak-services < 24.0.5
Fixed pkg:maven/org.keycloak/keycloak-services org.keycloak keycloak-services = 24.0.5
Loading...