CVE-2024-4540 is a vulnerability identified in Keycloak's implementation of OAuth 2.0 Pushed Authorization Requests (PAR). The flaw arises because client-supplied parameters are embedded in plaintext within the KC_RESTART cookie, which the authorization server returns in HTTP responses to request_uri authorization requests. This cookie is intended to maintain state during the authorization process, but including sensitive parameters in cleartext exposes them to potential interception or unauthorized access. Since the KC_RESTART cookie is transmitted over the network and potentially accessible to client-side scripts or intermediaries, attackers with network access or the ability to read cookies could extract sensitive OAuth parameters, leading to information disclosure. The vulnerability does not require any privileges or user interaction to exploit, and it affects confidentiality but not integrity or availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects that the attack can be performed remotely with low complexity and no privileges, resulting in a high impact on confidentiality. No patches or exploits are currently documented, but the issue is significant given Keycloak's role in securing authentication and authorization flows in many enterprise environments.

The primary impact of CVE-2024-4540 is the unauthorized disclosure of sensitive OAuth 2.0 parameters, which may include client identifiers, scopes, or other authorization details. Such information leakage can facilitate further attacks such as session hijacking, replay attacks, or targeted phishing by revealing internal authorization details. Organizations relying on Keycloak for identity and access management may face increased risk of data breaches or unauthorized access if attackers intercept these cookies. The vulnerability undermines the confidentiality of the OAuth authorization process, potentially exposing sensitive client data to network attackers or malicious insiders with access to client devices or network traffic. While the vulnerability does not directly affect system integrity or availability, the loss of confidentiality can have cascading effects on trust and security posture. This is particularly critical for organizations handling sensitive user data, financial information, or operating in regulated industries.

To mitigate CVE-2024-4540, organizations should first apply any available patches or updates from Keycloak that address the issue. If patches are not yet available, administrators should consider disabling or restricting the use of OAuth 2.0 Pushed Authorization Requests (PAR) or the request_uri authorization request flow until a fix is deployed. Implementing strict cookie security attributes such as Secure, HttpOnly, and SameSite can reduce the risk of cookie interception or cross-site attacks. Network-level protections like TLS enforcement and monitoring for unusual cookie transmissions can help detect exploitation attempts. Additionally, reviewing and minimizing the sensitive data included in client parameters and cookies can reduce exposure. Organizations should also audit their Keycloak configurations and logs for suspicious activity related to authorization requests. Finally, educating developers and security teams about secure OAuth implementations and the risks of cleartext storage of sensitive data is essential to prevent similar issues.