Lucene search
GitHub Advisory DatabaseGHSA-69FP-7C8P-CRJRHistoryJun 10, 2024 - 6:36 p.m.
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
2024-06-1018:36:56
CWE-922
GitHub Advisory Database
github.com
3
keycloak
par
vulnerability
sensitive information
kc_restart
cookie
information disclosure
http response
authorization server
6.6 Medium
AI Score
Confidence
Low
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization serverβs HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.
Affected configurations
Node
org.keycloak\keycloakMatchservices
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.keycloak:keycloak-services | lt | 24.0.5 |
6.6 Medium
AI Score
Confidence
Low