7.1

CVE-2024-7341

Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters

Session fixation in Elytron SAML adapters

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
Mögliche Gegenmaßnahme
Keycloak Server: Install latest version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatKeycloak Version <= 25.0.2
RedhatSingle Sign-on Version >= 7.6 < 7.6.10
   RedhatEnterprise Linux Version7.0
   RedhatEnterprise Linux Version8.0
   RedhatEnterprise Linux Version9.0
RedhatBuild Of Keycloak Version >= 22.0 < 22.0.12
RedhatBuild Of Keycloak Version >= 24.0 < 24.0.7
RedhatSingle Sign-on Version- SwEditiontext-only
Weitere Schwachstelleninformationen
SystemKeycloak
Produkt Keycloak Server
Version >= 0.0.0, < 22.0.12
Version >= 24.0.0, < 24.0.7
Version >= 25.0.0, < 25.0.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.8% 0.517
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.2 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
secalert@redhat.com 7.1 1.2 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://access.redhat.com/errata/RHSA-2024:6493
Mailing List
https://access.redhat.com/errata/RHSA-2024:6494
Mailing List
https://access.redhat.com/errata/RHSA-2024:6495
Mailing List
https://access.redhat.com/errata/RHSA-2024:6497
Mailing List
https://access.redhat.com/errata/RHSA-2024:6499
Mailing List
https://access.redhat.com/errata/RHSA-2024:6500
Mailing List
https://access.redhat.com/errata/RHSA-2024:6501
Mailing List
https://access.redhat.com/errata/RHSA-2024:6502
Mailing List
https://access.redhat.com/errata/RHSA-2024:6503
Mailing List
https://access.redhat.com/security/cve/CVE-2024-7341
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2302064
Vendor Advisory
Issue Tracking
https://github.com/advisories/GHSA-j76j-rqwj-jmvv
https://github.com/keycloak/keycloak/security/advisories/GHSA-5rxp-2rhr-qwqv
Third Party Advisory