CVE-2024-7341

moderate-risk

Published 2024-09-09

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Do I need to act?

1.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

NETWORK / HIGH complexity

Affected Products (4)

Keycloak

Single Sign-On

Build Of Keycloak

Single Sign-On

Affected Vendors

Redhat

References (12)

Mailing List https://access.redhat.com/errata/RHSA-2024:6493

Mailing List https://access.redhat.com/errata/RHSA-2024:6494

Mailing List https://access.redhat.com/errata/RHSA-2024:6495

Mailing List https://access.redhat.com/errata/RHSA-2024:6497

Mailing List https://access.redhat.com/errata/RHSA-2024:6499

Mailing List https://access.redhat.com/errata/RHSA-2024:6500

Mailing List https://access.redhat.com/errata/RHSA-2024:6501

Mailing List https://access.redhat.com/errata/RHSA-2024:6502

Mailing List https://access.redhat.com/errata/RHSA-2024:6503

Vendor Advisory https://access.redhat.com/security/cve/CVE-2024-7341

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2302064

https://github.com/advisories/GHSA-j76j-rqwj-jmvv

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 5/34 · Minimal

Exposure 10/34 · Low