Insecure Storage of Sensitive Information Affecting org.keycloak:keycloak-services package, versions [,24.0.5)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGKEYCLOAK-7243496
- published 11 Jun 2024
- disclosed 10 Jun 2024
- credit Manuel Schallar
How to fix?
Upgrade org.keycloak:keycloak-services to version 24.0.5 or higher.
Overview
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.
Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post based authentication.
This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART cookie, which the authorization server returned in its HTTP response to a request_uri authorization request.
To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.
Note
If you use OIDC confidential clients together with PAR and use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.