CVE-2024-4540
HIGHOrg.keycloak Keycloak-services < 24.0.5 - Information Disclosure
Title source: ruleDescription
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.
References (11)
Scores
CVSS v3
7.5
EPSS
0.0031
EPSS Percentile
54.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-312
Status
published
Products (12)
org.keycloak/keycloak-services
0 - 24.0.5Maven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 22
22-15
Red Hat/Red Hat build of Keycloak 22
22-18
Red Hat/Red Hat build of Keycloak 22
22.0.11-2
Red Hat/Red Hat build of Keycloak 24
24-10
Red Hat/Red Hat build of Keycloak 24
24.0.5-2
Red Hat/Red Hat Single Sign-On 7
Red Hat/Red Hat Single Sign-On 7.6 for RHEL 7
0:18.0.14-1.redhat_00001.1.el7sso
Red Hat/Red Hat Single Sign-On 7.6 for RHEL 8
0:18.0.14-1.redhat_00001.1.el8sso
... and 2 more
Published
Jun 03, 2024
Tracked Since
Feb 18, 2026