A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request. This could lead to an information disclosure vulnerability.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2024:3566 https://access.redhat.com/errata/RHSA-2024:3566
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2024:3568 https://access.redhat.com/errata/RHSA-2024:3568
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2024:3567 https://access.redhat.com/errata/RHSA-2024:3567
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:3570 https://access.redhat.com/errata/RHSA-2024:3570
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2024:3572 https://access.redhat.com/errata/RHSA-2024:3572
This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:3574 https://access.redhat.com/errata/RHSA-2024:3574
This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:3573 https://access.redhat.com/errata/RHSA-2024:3573
This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:3575 https://access.redhat.com/errata/RHSA-2024:3575
This issue has been addressed in the following products: Red Hat build of Keycloak 24 Via RHSA-2024:3576 https://access.redhat.com/errata/RHSA-2024:3576