Session Fixation Vulnerability in Keycloak SAML Adapters

CVE-2024-7341

7.1HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Build Of Keycloak 22; Red Hat Build Of Keycloak 24; Red Hat Single Sign-on 7
Vendor: CVE Published:; 9 September 2024

Summary

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Affected Version(s)

Red Hat build of Keycloak 22 <= 22.0.12-1

Red Hat build of Keycloak 22 <= 22-17

Red Hat build of Keycloak 22 <= 22-20

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: null to: 7.1 - (HIGH)
Sep 9, 2024
Vulnerability published.
Sep 9, 2024
Vulnerability Reserved.
Jul 31, 2024
Reported to Red Hat.
Jul 31, 2024

Collectors

NVD DatabaseMitre Database