CVE-2024-7341

Oct. 4, 2024, 12:48 p.m.

7.1
High

Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Product(s) Impacted

Vendor Product Versions
Redhat
  • Keycloak
  • Single Sign-on
  • Enterprise Linux
  • Build Of Keycloak
  • *
  • *, -
  • 7.0, 8.0, 9.0
  • *

Weaknesses

CWE-384
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a redhat keycloak / / / / / / / /
a redhat single_sign-on / / / / / / / /
o redhat enterprise_linux 7.0 / / / / / / /
o redhat enterprise_linux 8.0 / / / / / / /
o redhat enterprise_linux 9.0 / / / / / / /
a redhat build_of_keycloak / / / / / / / /
a redhat build_of_keycloak / / / / / / / /
a redhat single_sign-on - / / / text-only / / /

References

https://access.redhat.com/errata/RHSA-2024:6493
https://access.redhat.com/errata/RHSA-2024:6494
https://access.redhat.com/errata/RHSA-2024:6495
https://access.redhat.com/errata/RHSA-2024:6497
https://access.redhat.com/errata/RHSA-2024:6499
https://access.redhat.com/errata/RHSA-2024:6500
https://access.redhat.com/errata/RHSA-2024:6501
https://access.redhat.com/errata/RHSA-2024:6502
https://access.redhat.com/errata/RHSA-2024:6503
https://access.redhat.com/security/cve/CVE-2024-7341
https://bugzilla.redhat.com/show_bug.cgi?id=2302064

Tags

secalert@redhat.com
CWE-384
2024-09-09
CVE-2024-7341

CVSS Score

7.1 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Date

  • Published: Sept. 9, 2024, 7:15 p.m.
  • Last Modified: Oct. 4, 2024, 12:48 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secalert@redhat.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.