Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-4540

Good to know:

icon
icon

Date: June 3, 2024

A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.

Language: Java

Severity Score

Related Resources (16)

https://github.com/keycloak/keycloak/commit/2191cc26ae6deb52eeaf74046027b65804d16fd0
https://access.redhat.com/errata/RHSA-2024:3570
https://access.redhat.com/errata/RHSA-2024:3573
https://access.redhat.com/errata/RHSA-2024:3574
https://bugzilla.redhat.com/show_bug.cgi?id=2279303
https://nvd.nist.gov/vuln/detail/CVE-2024-4540
https://access.redhat.com/errata/RHSA-2024:3572
https://access.redhat.com/security/cve/CVE-2024-4540
https://access.redhat.com/errata/RHSA-2024:3566
https://access.redhat.com/errata/RHSA-2024:3567
https://access.redhat.com/errata/RHSA-2024:3575
https://access.redhat.com/errata/RHSA-2024:3576
https://github.com/keycloak/keycloak/security/advisories/GHSA-69fp-7c8p-crjr
https://access.redhat.com/errata/RHSA-2024:3568
https://github.com/keycloak/keycloak
https://www.mend.io/vulnerability-database/CVE-2024-4540

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insecure Storage of Sensitive Information

CWE-922

Top Fix

icon

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:16.1.0;org.keycloak:keycloak-services:24.0.5;org.keycloak:keycloak-services:4.2.0.Final;org.keycloak:keycloak-services:24.0.5;org.keycloak:keycloak-services:24.0.5;org.keycloak:keycloak-services:1.8.0.CR2;org.keycloak:keycloak-services:1.5.0-Final;org.keycloak:keycloak-services:1.6.0.Final;org.keycloak:keycloak-services:1.0-beta-1-20150521;org.keycloak:keycloak-services:3.3.0.CR2;org.jboss.aerogear.unifiedpush:unifiedpush-auth-server:1.0.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us