Session Fixation Vulnerability in Keycloak SAML Adapters

CVE-2024-7341

7.1HIGH

Key Information

Vendor
Red Hat
Status
Red Hat Build Of Keycloak
Red Hat Build Of Keycloak 22
Red Hat Build Of Keycloak 24
Red Hat Single Sign-on 7
Vendor
CVE Published:
9 September 2024

Summary

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.12-1

Red Hat build of Keycloak 22 <= 22-17

Red Hat build of Keycloak 22 <= 22-20

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.