CVE-2024-4540 identifies a vulnerability in Keycloak's handling of OAuth 2.0 Pushed Authorization Requests (PAR). Specifically, when a client sends a request_uri authorization request, certain client-provided parameters are inadvertently embedded in plaintext within the KC_RESTART cookie returned by the authorization server in the HTTP response. This cookie is used by Keycloak to manage authorization request state, but including sensitive parameters in it without encryption or proper protection exposes them to interception by unauthorized parties. The vulnerability does not require any authentication or user interaction to exploit, and the attack vector is network-based (AV:N), meaning an attacker can remotely capture this information if they can observe the HTTP traffic. The confidentiality impact is high because sensitive OAuth parameters, potentially including tokens or client secrets, could be leaked. However, integrity and availability are not affected. The vulnerability is rated with a CVSS 3.1 score of 7.5, reflecting its high severity. No public exploits have been reported yet, but the risk is significant given the widespread use of Keycloak in enterprise identity management. The flaw stems from insufficient sanitization or encryption of sensitive data in cookies during the OAuth PAR flow, which is designed to improve security by allowing clients to push authorization request parameters to the server instead of including them in URLs. This vulnerability undermines that security goal by exposing parameters in an unprotected cookie. Organizations relying on Keycloak for OAuth 2.0 authorization should monitor for updates and apply patches promptly once available.

For European organizations, the exposure of sensitive OAuth 2.0 parameters can lead to unauthorized disclosure of client credentials, tokens, or other confidential data, potentially enabling attackers to impersonate users or clients, escalate privileges, or gain unauthorized access to protected resources. This is particularly critical for sectors handling sensitive personal data such as finance, healthcare, and government services, where identity management systems like Keycloak are commonly deployed. The vulnerability could facilitate targeted attacks against identity infrastructure, undermining trust and compliance with regulations such as GDPR. Additionally, if attackers intercept these cookies over unsecured networks or through man-in-the-middle attacks, they could leverage the leaked information to compromise sessions or escalate attacks. Although no integrity or availability impact is noted, the confidentiality breach alone can have severe consequences including data breaches, regulatory penalties, and reputational damage.

1. Apply official patches or updates from Keycloak as soon as they are released addressing CVE-2024-4540. 2. Until patches are available, configure Keycloak to minimize exposure by restricting the scope and lifetime of the KC_RESTART cookie, including setting the Secure and HttpOnly flags to prevent client-side access and transmission over non-HTTPS channels. 3. Implement network-level protections such as enforcing HTTPS/TLS for all OAuth communications to prevent interception of cookies. 4. Review and audit OAuth 2.0 PAR usage in your environment to identify if and where request_uri authorization requests are used and consider disabling PAR if not strictly necessary. 5. Monitor logs and network traffic for unusual or unauthorized access patterns related to OAuth authorization flows. 6. Educate developers and administrators on secure OAuth implementation practices and the risks of exposing sensitive parameters in cookies or URLs. 7. Consider deploying Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) tuned to detect anomalies in OAuth traffic patterns.