CVE-2024-7341

EPSS 1.15%
Published 09.09.2024 19:15:14
Last modified 04.10.2024 12:48:43
Source secalert@redhat.com
Teams watchlist Login
Open Login

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version <= 25.0.2

Redhat ≫ Single Sign-on Version >= 7.6 < 7.6.10

   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0
   Redhat ≫ Enterprise Linux Version9.0

Redhat ≫ Build Of Keycloak Version >= 22.0 < 22.0.12

Redhat ≫ Build Of Keycloak Version >= 24.0 < 24.0.7

Redhat ≫ Single Sign-on Version- SwEditiontext-only

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.15%	0.776

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.1	1.2	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
secalert@redhat.com	7.1	1.2	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://access.redhat.com/errata/RHSA-2024:6493

Mailing List

https://access.redhat.com/errata/RHSA-2024:6494

Mailing List

https://access.redhat.com/errata/RHSA-2024:6495

Mailing List

https://access.redhat.com/errata/RHSA-2024:6497

Mailing List

https://access.redhat.com/errata/RHSA-2024:6499

Mailing List

https://access.redhat.com/errata/RHSA-2024:6500

Mailing List