CVE-2024-4540
📋 TL;DR
This vulnerability in Keycloak's OAuth 2.0 Pushed Authorization Requests (PAR) feature exposes client-provided parameters in plain text within the KC_RESTART cookie. This information disclosure could allow attackers to access sensitive data from authorization requests. Organizations using Keycloak with PAR enabled are affected.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept sensitive client parameters (potentially including credentials, tokens, or other authentication data) leading to account compromise or further attacks.
Likely Case
Information disclosure of client parameters used in OAuth flows, potentially exposing session data or configuration details.
If Mitigated
With proper network controls and patching, the risk is limited to internal information disclosure with minimal impact.
🎯 Exploit Status
Requires ability to intercept HTTP responses containing the KC_RESTART cookie
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:3566
Restart Required: Yes
Instructions:
1. Review Red Hat advisories RHSA-2024:3566 through RHSA-2024:3572. 2. Identify applicable patch for your Keycloak version. 3. Apply the security update. 4. Restart Keycloak service.
🔧 Temporary Workarounds
Disable PAR feature
allTemporarily disable OAuth 2.0 Pushed Authorization Requests if not required
Configure Keycloak to disable PAR in realm settings
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Keycloak instances
- Monitor for unusual access patterns to authorization endpoints
🔍 How to Verify
Check if Vulnerable:
Check if using Keycloak with PAR enabled and version matches affected range in Red Hat advisoriesCheck Version:
Check Keycloak server logs or admin console for version informationVerify Fix Applied:
Verify Keycloak version is updated to patched version from Red Hat advisories📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to authorization endpoints
- Multiple failed PAR requests
Network Indicators:
- Interception of KC_RESTART cookies in HTTP responses
SIEM Query:
Search for Keycloak authorization requests with unusual parameters or from unexpected sources🔗 References
- https://access.redhat.com/errata/RHSA-2024:3566
- https://access.redhat.com/errata/RHSA-2024:3567
- https://access.redhat.com/errata/RHSA-2024:3568
- https://access.redhat.com/errata/RHSA-2024:3570
- https://access.redhat.com/errata/RHSA-2024:3572
- https://access.redhat.com/errata/RHSA-2024:3573
- https://access.redhat.com/errata/RHSA-2024:3574
- https://access.redhat.com/errata/RHSA-2024:3575
- https://access.redhat.com/errata/RHSA-2024:3576
- https://access.redhat.com/security/cve/CVE-2024-4540
- https://bugzilla.redhat.com/show_bug.cgi?id=2279303
- https://access.redhat.com/errata/RHSA-2024:3566
- https://access.redhat.com/errata/RHSA-2024:3567
- https://access.redhat.com/errata/RHSA-2024:3568
- https://access.redhat.com/errata/RHSA-2024:3570
- https://access.redhat.com/errata/RHSA-2024:3572
- https://access.redhat.com/errata/RHSA-2024:3573
- https://access.redhat.com/errata/RHSA-2024:3574
- https://access.redhat.com/errata/RHSA-2024:3575
- https://access.redhat.com/errata/RHSA-2024:3576
- https://access.redhat.com/security/cve/CVE-2024-4540
- https://bugzilla.redhat.com/show_bug.cgi?id=2279303
