Session Fixation Vulnerability in Keycloak SAML Adapters
CVE-2024-7341

7.1HIGH

Key Information:

Status
Red Hat Build Of Keycloak
Red Hat Build Of Keycloak 22
Red Hat Build Of Keycloak 24
Vendor
CVE Published:
9 September 2024

What is CVE-2024-7341?

A security vulnerability has been identified in the SAML adapters of Keycloak, where the session ID and JSESSIONID cookie remain unchanged at login, regardless of the configuration of the turnOffChangeSessionIdOnLogin option. This vulnerability poses a significant risk, allowing attackers to seize a user's session prior to authentication and execute session fixation attacks. As a consequence, unauthorized individuals could gain access to the user’s session, potentially leading to sensitive data exposure or further exploitation within the affected environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2024:6493
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6494
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6495
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.