CVE-2024-4540
Published: Jun 3, 2024
Modified: Mar 26, 2026
CVSS v3.1
7.5
Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.
| Vendor | Product | Versions |
|---|---|---|
Unknown | keycloak | unaffected d5e82356f90893ca3b308a7e10020103e402369a - < * |
Red Hat | Red Hat Build of Keycloak | All versions |
Red Hat | Red Hat Build of Keycloak | All versions |
Red Hat | Red Hat build of Keycloak 22 | unaffected 22.0.11-2 - < * |
Red Hat | Red Hat build of Keycloak 22 | unaffected 22-15 - < * |
Red Hat | Red Hat build of Keycloak 22 | unaffected 22-18 - < * |
Red Hat | Red Hat build of Keycloak 24 | unaffected 24.0.5-2 - < * |
Red Hat | Red Hat build of Keycloak 24 | unaffected 24-10 - < * |
Red Hat | Red Hat build of Keycloak 24 | unaffected 24-10 - < * |
Red Hat | Red Hat Single Sign-On 7 | All versions |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 7 | unaffected 0:18.0.14-1.redhat_00001.1.el7sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 8 | unaffected 0:18.0.14-1.redhat_00001.1.el8sso - < * |
Red Hat | Red Hat Single Sign-On 7.6 for RHEL 9 | unaffected 0:18.0.14-1.redhat_00001.1.el9sso - < * |
Red Hat | RHEL-8 based Middleware Containers | unaffected 7.6-49 - < * |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now