Insecure Storage of Sensitive Information Affecting org.keycloak:keycloak-services package, versions [,24.0.5)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGKEYCLOAK-7243496
  • published11 Jun 2024
  • disclosed10 Jun 2024
  • creditManuel Schallar

Introduced: 10 Jun 2024

CVE NOT AVAILABLE CWE-922  (opens in a new tab)

How to fix?

Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.

Overview

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post based authentication. This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART cookie, which the authorization server returned in its HTTP response to a request_uri authorization request.

To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.

Note

If you use OIDC confidential clients together with PAR and use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.

References

CVSS Scores

version 3.1