PT-2024-4437 · Red Hat · Keycloak

Mauro Matteo Cascella

Published

2024-05-06

Updated

2026-02-25

CVE-2024-4540

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC RESTART cookie returned by the authorization server's HTTP response to a request uri authorization request, possibly leading to an information disclosure vulnerability.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Information Disclosure

Insecure Storage of Sensitive Information

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-922CWE-312CWE-315

Related Identifiers

BDU:2024-04939

CVE-2024-4540

GHSA-4VRX-8PHJ-X3MG

GHSA-69FP-7C8P-CRJR

RHSA-2024:3566

RHSA-2024:3567

RHSA-2024:3568

Affected Products

Keycloak

PT-2024-4437 · Red Hat · Keycloak

CVE-2024-4540

Weakness Enumeration

Related Identifiers

Affected Products

References · 30