CVE-2016-8609 — Session Fixation in Redhat Keycloak

CWE-384 — Session Fixation CWE-287 — Improper Authentication6 documents6 sources

Severity

8.1HIGHNVD

CNA3.7

EPSS

0.1%

top 64.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Keycloak RED HAT Keycloak

Timeline

PublishedAug 1

Latest updateOct 18

Description

It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDredhat/keycloak< 2.3.0

▶CVEListV5red_hat/keycloak2.3.0

🔴Vulnerability Details

OSV

Improper Authentication in org.keycloak:keycloak-core↗2018-10-18

▶

GHSA

Improper Authentication in org.keycloak:keycloak-core↗2018-10-18

▶

CVEList

CVE-2016-8609: It was found that the keycloak before 2↗2018-08-01

▶

📋Vendor Advisories

Red Hat

keycloak: account hijacking via auth code fixation↗2016-12-13

▶

💬Community

Bugzilla

CVE-2016-8609 keycloak: account hijacking via auth code fixation↗2016-10-19

▶