A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization serverβs HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.
CPE | Name | Operator | Version |
---|---|---|---|
org.keycloak:keycloak-services | lt | 24.0.5 |