logo

Database

Session Fixation In org.keycloak:keycloak-services

Description

Keycloak has session fixation in Elytron SAML adapters A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-73412. NVD-2024-73413. OSV-2024-73414. GHSA-5rxp-2rhr-qwqv5. GCVE-2024-73416. ACCESS-CVE-2024-73417. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-5rxp-2rhr-qwqv2. https://github.com/keycloak/keycloak/commit/5e06da2f6794c695051605e26a01affa3a18f66b3. https://github.com/keycloak/keycloak/commit/5b3de0c7e7f367103affe2f5167913a2ce021cf14. https://github.com/keycloak/keycloak/commit/2341d6ee7a3567c58fd6a04a419fe4403e13374c5. https://bugzilla.redhat.com/show_bug.cgi?id=2302064

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.