CVE-2024-4540
HIGHKeycloak < 24.0.5 - Cleartext Storage of Sensitive Information in OAuth 2.0 PAR KC_RESTART Cookie
Title source: llmDescription
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.
References (11)
Core 11
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3566
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3567
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3568
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3570
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3572
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3573
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3574
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3575
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3576
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-4540
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2279303
Scores
CVSS v3
7.5
EPSS
0.0055
EPSS Percentile
41.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-312
Status
published
Products (12)
org.keycloak/keycloak-services
0 - 24.0.5Maven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 22
22-15
Red Hat/Red Hat build of Keycloak 22
22-18
Red Hat/Red Hat build of Keycloak 22
22.0.11-2
Red Hat/Red Hat build of Keycloak 24
24-10
Red Hat/Red Hat build of Keycloak 24
24.0.5-2
Red Hat/Red Hat Single Sign-On 7
Red Hat/Red Hat Single Sign-On 7.6 for RHEL 7
0:18.0.14-1.redhat_00001.1.el7sso
Red Hat/Red Hat Single Sign-On 7.6 for RHEL 8
0:18.0.14-1.redhat_00001.1.el8sso
... and 2 more
Published
Jun 03, 2024
Tracked Since
Feb 18, 2026