CVE-2024-7341 Information
Description
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
Reference
https://access.redhat.com/errata/RHSA-2024:6493 https://access.redhat.com/errata/RHSA-2024:6494 https://access.redhat.com/errata/RHSA-2024:6495 https://access.redhat.com/errata/RHSA-2024:6497 https://access.redhat.com/errata/RHSA-2024:6499 https://access.redhat.com/errata/RHSA-2024:6500 https://access.redhat.com/errata/RHSA-2024:6501 https://access.redhat.com/errata/RHSA-2024:6502 https://access.redhat.com/errata/RHSA-2024:6503 https://access.redhat.com/security/cve/CVE-2024-7341 https://bugzilla.redhat.com/show_bug.cgi?id=2302064
Share on: