CVE-2024-4540

Summary

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request, possibly leading to an information disclosure vulnerability.

Affected Software

VendorProductVersion RangeStatus
d5e82356f90893ca3b308a7e10020103e402369a < *unaffected
Red HatRed Hat build of Keycloak 2222.0.11-2 < *unaffected
Red HatRed Hat build of Keycloak 2222-15 < *unaffected
Red HatRed Hat build of Keycloak 2222-18 < *unaffected
Red HatRed Hat build of Keycloak 2424.0.5-2 < *unaffected
Red HatRed Hat build of Keycloak 2424-10 < *unaffected
Red HatRed Hat build of Keycloak 2424-10 < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.14-1.redhat_00001.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.14-1.redhat_00001.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.14-1.redhat_00001.1.el9sso < *unaffected
Red HatRHEL-8 based Middleware Containers7.6-49 < *unaffected

Weaknesses

  • CWE-312: Cleartext Storage of Sensitive Information

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References