CVE-2024-7341

high

Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2302064

https://access.redhat.com/security/cve/CVE-2024-7341

https://access.redhat.com/errata/RHSA-2024:6503

https://access.redhat.com/errata/RHSA-2024:6502

https://access.redhat.com/errata/RHSA-2024:6501

https://access.redhat.com/errata/RHSA-2024:6500

https://access.redhat.com/errata/RHSA-2024:6499

https://access.redhat.com/errata/RHSA-2024:6497

https://access.redhat.com/errata/RHSA-2024:6495

https://access.redhat.com/errata/RHSA-2024:6494

https://access.redhat.com/errata/RHSA-2024:6493

Details

Source: Mitre, NVD

Published: 2024-09-09

Updated: 2024-10-04

Risk Information

CVSS v2

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Severity: High