Vulnerability Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2024:3566
- https://access.redhat.com/errata/RHSA-2024:3567
- https://access.redhat.com/errata/RHSA-2024:3568
- https://access.redhat.com/errata/RHSA-2024:3570
- https://access.redhat.com/errata/RHSA-2024:3572
- https://access.redhat.com/errata/RHSA-2024:3573
- https://access.redhat.com/errata/RHSA-2024:3574
- https://access.redhat.com/errata/RHSA-2024:3575
- https://access.redhat.com/errata/RHSA-2024:3576
- https://access.redhat.com/security/cve/CVE-2024-4540
- https://bugzilla.redhat.com/show_bug.cgi?id=2279303
- https://access.redhat.com/errata/RHSA-2024:3566
- https://access.redhat.com/errata/RHSA-2024:3567
- https://access.redhat.com/errata/RHSA-2024:3568
- https://access.redhat.com/errata/RHSA-2024:3570
FAQ
What is CVE-2024-4540?
CVE-2024-4540 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization...
How severe is CVE-2024-4540?
CVE-2024-4540 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-4540?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.