CVE-2024-7341

CVSS v4.0

7.5

High

Vector

AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Keycloak SAML adapters (affected versions not specified)

Description A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

ALT-PU-2025-13422

ALT-PU-2025-2871

CVE-2024-7341

GHSA-5RXP-2RHR-QWQV

GHSA-J76J-RQWJ-JMVV

RHSA-2024:6493

RHSA-2024:6494

RHSA-2024:6495

Affected Products

Alt Linux

Keycloak

Keycloak Saml Adapters

CVE-2024-7341

Weakness Enumeration

Related Identifiers

Affected Products

References · 29