Security
Headlines

Headlines Latest CVEs

Headline

GHSA-69fp-7c8p-crjr: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server’s HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.

5 months ago

#vulnerability #git #java #oauth #auth #maven

GitHub Advisory Database
GitHub Reviewed
GHSA-69fp-7c8p-crjr

Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

High severity GitHub Reviewed Published Jun 10, 2024 in keycloak/keycloak • Updated Jun 10, 2024

Package

maven org.keycloak:keycloak-services (Maven)

Affected versions

< 24.0.5

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server’s HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.

References

GHSA-69fp-7c8p-crjr
keycloak/keycloak@2191cc2

Published to the GitHub Advisory Database

Jun 10, 2024

Last updated

Jun 10, 2024

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution

1 day ago

GHSA-mr95-vfcf-fx9p: Apache Answer: Predictable Authorization Token Using UUIDv1

1 day ago

GHSA-pqhp-25j4-6hq9: smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables

1 day ago

GHSA-v5h2-q2w4-gpcx: Sentry improper error handling leaks Application Integration Client Secret

1 day ago

GHSA-8w49-h785-mj3c: Tornado has an HTTP cookie parsing DoS vulnerability

1 day ago