In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade org.keycloak:keycloak-services
to version 24.0.5 or higher.
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.
Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information through PAR (Pushed authorization request) clients when using client_secret_post
based authentication.
This vulnerability derived from client-provided parameters that were included in plain text within the KC_RESTART
cookie, which the authorization server returned in its HTTP response to a request_uri
authorization request.
To exploit this vulnerability, an attacker needs to intercept the HTTP response from the authorization server, which might result in the disclosure of sensitive information.
Note
If you use OIDC confidential clients together with PAR and use client authentication based on client_id
and client_secret
sent as parameters in the HTTP request body (method client_secret_post
specified in the OIDC specification), it is highly encouraged to rotate your clients' client secrets after upgrading to this version.