Description
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
References (12)
Scores
CVSS v3
7.1
EPSS
0.0225
EPSS Percentile
84.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-384
Status
published
Products (18)
org.keycloak/keycloak-services
0 - 22.0.12Maven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 22
22.0.12-1
Red Hat/Red Hat build of Keycloak 22
22-17
Red Hat/Red Hat build of Keycloak 22
22-20
Red Hat/Red Hat build of Keycloak 24
24.0.7-4
Red Hat/Red Hat build of Keycloak 24
24-16
Red Hat/Red Hat JBoss Enterprise Application Platform 8
Red Hat/Red Hat Single Sign-On 7
Red Hat/Red Hat Single Sign-On 7.0
... and 8 more
Published
Sep 09, 2024
Tracked Since
Feb 18, 2026