Lucene search

K

[email protected]NVD:CVE-2024-7341

HistorySep 09, 2024 - 7:15 p.m.

CVE-2024-7341

2024-09-0919:15:14

CWE-384

[email protected]

web.nvd.nist.gov

3

keycloak

saml

session fixation

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

0

Percentile

13.7%

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

References

access.redhat.com/errata/RHSA-2024:6493

access.redhat.com/errata/RHSA-2024:6494

access.redhat.com/errata/RHSA-2024:6495

access.redhat.com/errata/RHSA-2024:6497

access.redhat.com/errata/RHSA-2024:6499

access.redhat.com/errata/RHSA-2024:6500

access.redhat.com/errata/RHSA-2024:6501

access.redhat.com/errata/RHSA-2024:6502

access.redhat.com/errata/RHSA-2024:6503

access.redhat.com/security/cve/CVE-2024-7341

bugzilla.redhat.com/show_bug.cgi?id=2302064

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

0

Percentile

13.7%

Related for NVD:CVE-2024-7341

redhatcve1 osv2 cve1 cvelist1 github1 vulnrichment1 redhat9 nessus3