logo

Database

Session Fixation In org.keycloak:keycloak-services

Description

Keycloak vulnerable to session hijacking via re-authentication A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-67872. NVD-2023-67873. OSV-2023-67874. GHSA-c9h6-v78w-52wj5. GCVE-2023-67876. access.redhat.com7. access.redhat.com8. ACCESS-CVE-2023-6787

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-c9h6-v78w-52wj2. https://bugzilla.redhat.com/show_bug.cgi?id=2254375

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.