logo

Database

Session Fixation In org.keycloak:keycloak-services

Description

Duplicate Advisory: Keycloak Session Fixation vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5rxp-2rhr-qwqv. This link is maintained to preserve external references.

Original Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2024-73412. GCVE-GHSA-j76j-rqwj-jmvv3. access.redhat.com4. access.redhat.com5. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. ACCESS-CVE-2024-7341

References

1. https://github.com/keycloak/keycloak/commit/2341d6ee7a3567c58fd6a04a419fe4403e13374c2. https://github.com/keycloak/keycloak/commit/5b3de0c7e7f367103affe2f5167913a2ce021cf13. https://github.com/keycloak/keycloak/commit/5e06da2f6794c695051605e26a01affa3a18f66b4. https://bugzilla.redhat.com/show_bug.cgi?id=2302064

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.