CVE-2024-7341

HIGH

Keycloak - Session Fixation via SAML Adapter

Title source: llm
STIX 2.1

Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

References (12)

Core 12
Core References
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6493
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6494
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6495
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6497
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6499
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6500
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6501
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6502
Mailing List vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6503
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-7341
Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2302064

Scores

CVSS v3 7.1
EPSS 0.0080
EPSS Percentile 51.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-384
Status published
Products (18)
org.keycloak/keycloak-services 0 - 22.0.12Maven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 22 22-17
Red Hat/Red Hat build of Keycloak 22 22-20
Red Hat/Red Hat build of Keycloak 22 22.0.12-1
Red Hat/Red Hat build of Keycloak 24 24-16
Red Hat/Red Hat build of Keycloak 24 24.0.7-4
Red Hat/Red Hat JBoss Enterprise Application Platform 8
Red Hat/Red Hat Single Sign-On 7
Red Hat/Red Hat Single Sign-On 7.0
... and 8 more
Published Sep 09, 2024
Tracked Since Feb 18, 2026