CVE-2024-7341

EPSS 1.15%
Veröffentlicht 09.09.2024 19:15:14
Zuletzt bearbeitet 04.10.2024 12:48:43
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Keycloak Version <= 25.0.2

Redhat ≫ Single Sign-on Version >= 7.6 < 7.6.10

   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0
   Redhat ≫ Enterprise Linux Version9.0

Redhat ≫ Build Of Keycloak Version >= 22.0 < 22.0.12

Redhat ≫ Build Of Keycloak Version >= 24.0 < 24.0.7

Redhat ≫ Single Sign-on Version- SwEditiontext-only

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.15%	0.776

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	1.2	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
secalert@redhat.com	7.1	1.2	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://access.redhat.com/errata/RHSA-2024:6493

Mailing List

https://access.redhat.com/errata/RHSA-2024:6494

Mailing List

https://access.redhat.com/errata/RHSA-2024:6495

Mailing List

https://access.redhat.com/errata/RHSA-2024:6497

Mailing List

https://access.redhat.com/errata/RHSA-2024:6499

Mailing List

https://access.redhat.com/errata/RHSA-2024:6500

Mailing List