Bug 2279303 (CVE-2024-4540)

Summary: CVE-2024-4540 keycloak: exposure of sensitive information in Pushed Authorization Requests (PAR) KC_RESTART cookie
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: boliveir, chazlett, drichtar, jkoops, mulliken, pdrozd, peholase, pjindal, pskopek, rmartinc, rowaters, security-response-team, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2279307    

Description Mauro Matteo Cascella 2024-05-06 13:02:38 UTC 
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request. This could lead to an information disclosure vulnerability.
Comment 4 errata-xmlrpc 2024-06-03 19:46:37 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:3566 https://access.redhat.com/errata/RHSA-2024:3566
Comment 5 errata-xmlrpc 2024-06-03 19:46:38 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:3568 https://access.redhat.com/errata/RHSA-2024:3568
Comment 6 errata-xmlrpc 2024-06-03 19:46:48 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:3567 https://access.redhat.com/errata/RHSA-2024:3567
Comment 7 errata-xmlrpc 2024-06-03 19:50:28 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:3570 https://access.redhat.com/errata/RHSA-2024:3570
Comment 8 errata-xmlrpc 2024-06-03 20:00:40 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:3572 https://access.redhat.com/errata/RHSA-2024:3572
Comment 9 errata-xmlrpc 2024-06-03 21:10:48 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:3574 https://access.redhat.com/errata/RHSA-2024:3574
Comment 10 errata-xmlrpc 2024-06-03 21:15:06 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:3573 https://access.redhat.com/errata/RHSA-2024:3573
Comment 11 errata-xmlrpc 2024-06-03 21:26:18 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:3575 https://access.redhat.com/errata/RHSA-2024:3575
Comment 12 errata-xmlrpc 2024-06-03 21:30:20 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:3576 https://access.redhat.com/errata/RHSA-2024:3576