Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
Description
Published to the GitHub Advisory Database
Jun 10, 2024
Reviewed
Jun 10, 2024
Last updated
Jun 10, 2024
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.
References