CVE-2024-4540: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2024-4540) was discovered in Keycloak's OAuth 2.0 Pushed Authorization Requests (PAR) implementation. The flaw was identified in June 2024, affecting Keycloak and Red Hat Single Sign-On products. The vulnerability involves client-provided parameters being exposed in plain text within the KCRESTART cookie returned by the authorization server's HTTP response to a `requesturi` authorization request (NVD, Red Hat CVE).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. It is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue specifically occurs during the OAuth 2.0 Pushed Authorization Requests process where sensitive client parameters are exposed in plaintext format in the KC_RESTART cookie (NVD).

The vulnerability could lead to information disclosure, potentially exposing sensitive client parameters to unauthorized actors. The CVSS scoring indicates high confidentiality impact but no impact on integrity or availability of the system (Red Hat CVE).

Red Hat has released security updates to address this vulnerability across multiple products including Red Hat Single Sign-On 7.6 and Red Hat build of Keycloak versions 22.0.11 and 24.0.5. Users are advised to update to the latest versions available through the provided security advisories (Red Hat Advisory).