You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
High severity
GitHub Reviewed
Published
Jun 3, 2024
to the GitHub Advisory Database
•
Updated Jul 30, 2024
Withdrawn
This advisory was withdrawn on Jul 30, 2024
This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references.
Original Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request, possibly leading to an information disclosure vulnerability.
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references.
Original Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a
request_uri
authorization request, possibly leading to an information disclosure vulnerability.References