CVE-2024-7341

CWE-3845 documents5 sources

Severity

7.1HIGH

EPSS

1.7%

top 17.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

3

Redhat Build OF Keycloak Redhat Single Sign-on Redhat Keycloak

Timeline

PublishedSep 9

Latest updateOct 14

Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶NVDredhat/build_of_keycloak22.0 — 22.0.12+1

▶Mavenorg.keycloak:keycloak-services23.0.0 — 24.0.7+2

▶NVDredhat/keycloak25.0.2

▶NVDredhat/single_sign-on7.6 — 7.6.10

🔴Vulnerability Details

3

OSV

Keycloak has session fixation in Elytron SAML adapters↗2024-10-14

▶

GHSA

Keycloak has session fixation in Elytron SAML adapters↗2024-10-14

▶

CVEList

Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters↗2024-09-09

▶

📋Vendor Advisories

1

Red Hat

wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters↗2024-09-09

▶