Duplicate Advisory: Keycloak Session Fixation vulnerability

GHSA-j76j-rqwj-jmvv

Published Sep 9, 2024 · Modified Dec 20, 2024

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5rxp-2rhr-qwqv. This link is maintained to preserve external references.

Original Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-7341
WEB https://github.com/keycloak/keycloak/commit/2341d6ee7a3567c58fd6a04a419fe4403e13374c
WEB https://github.com/keycloak/keycloak/commit/5b3de0c7e7f367103affe2f5167913a2ce021cf1
WEB https://github.com/keycloak/keycloak/commit/5e06da2f6794c695051605e26a01affa3a18f66b
WEB https://access.redhat.com/errata/RHSA-2024:6493
WEB https://access.redhat.com/errata/RHSA-2024:6494
WEB https://access.redhat.com/errata/RHSA-2024:6495
WEB https://access.redhat.com/errata/RHSA-2024:6497
WEB https://access.redhat.com/errata/RHSA-2024:6499
WEB https://access.redhat.com/errata/RHSA-2024:6500
WEB https://access.redhat.com/errata/RHSA-2024:6501
WEB https://access.redhat.com/errata/RHSA-2024:6502
WEB https://access.redhat.com/errata/RHSA-2024:6503
WEB https://access.redhat.com/security/cve/CVE-2024-7341
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2302064
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes