Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.

Published: Jun 10, 2024
Updated: Jun 27, 2024
GHSA: GHSA-69fp-7c8p-crjr
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-922

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-services	-	24.0.5

https://github.com/keycloak/keycloak/commit/2191cc26ae6deb52eeaf74046027b65804d16fd0
https://github.com/keycloak/keycloak/security/advisories/GHSA-69fp-7c8p-crjr

Vulnerability Database

289,599

Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)