Session Fixation Vulnerability in Keycloak SAML Adapters
CVE-2024-7341
7.1HIGH
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Build Of Keycloak
- Red Hat Build Of Keycloak 22
- Red Hat Build Of Keycloak 24
- Red Hat Single Sign-on 7
- Vendor
- CVE Published:
- 9 September 2024
Summary
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
Affected Version(s)
Red Hat build of Keycloak 22 <= 22.0.12-1
Red Hat build of Keycloak 22 <= 22-17
Red Hat build of Keycloak 22 <= 22-20
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database