Lucene search

K

GoogleOSV:GHSA-J76J-RQWJ-JMVV

HistorySep 09, 2024 - 9:31 p.m.

Keycloak Session Fixation vulnerability

2024-09-0921:31:22

Google

osv.dev

4

keycloak

saml

session fixation

vulnerability

software

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0

Percentile

13.7%

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

References

access.redhat.com/errata/RHSA-2024:6493

access.redhat.com/errata/RHSA-2024:6494

access.redhat.com/errata/RHSA-2024:6495

access.redhat.com/errata/RHSA-2024:6497

access.redhat.com/errata/RHSA-2024:6499

access.redhat.com/errata/RHSA-2024:6500

access.redhat.com/errata/RHSA-2024:6501

access.redhat.com/errata/RHSA-2024:6502

access.redhat.com/errata/RHSA-2024:6503

access.redhat.com/security/cve/CVE-2024-7341

bugzilla.redhat.com/show_bug.cgi?id=2302064

github.com/keycloak/keycloak

nvd.nist.gov/vuln/detail/CVE-2024-7341

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0

Percentile

13.7%

Related for OSV:GHSA-J76J-RQWJ-JMVV

redhatcve1 osv1 cve1 cvelist1 github1 vulnrichment1 nvd1 redhat9 nessus3