CVE-2024-7341 — HIGH (7.1) — White Hats Nepal

Q: How severe is CVE-2024-7341?

CVE-2024-7341 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-7341?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Build Of Keycloak.

Vulnerability Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Keycloak	<= 25.0.2
Redhat	Single Sign-On	>= 7.6, < 7.6.10
Redhat	Enterprise Linux	7.0
Redhat	Build Of Keycloak	>= 22.0, < 22.0.12

Related Weaknesses (CWE)

CWE-384

References

https://access.redhat.com/errata/RHSA-2024:6493Mailing List
https://access.redhat.com/errata/RHSA-2024:6494Mailing List
https://access.redhat.com/errata/RHSA-2024:6495Mailing List
https://access.redhat.com/errata/RHSA-2024:6497Mailing List
https://access.redhat.com/errata/RHSA-2024:6499Mailing List
https://access.redhat.com/errata/RHSA-2024:6500Mailing List
https://access.redhat.com/errata/RHSA-2024:6501Mailing List
https://access.redhat.com/errata/RHSA-2024:6502Mailing List
https://access.redhat.com/errata/RHSA-2024:6503Mailing List
https://access.redhat.com/security/cve/CVE-2024-7341Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2302064Issue TrackingVendor Advisory
https://github.com/advisories/GHSA-j76j-rqwj-jmvv

FAQ

What is CVE-2024-7341?

CVE-2024-7341 is a vulnerability with a CVSS score of 7.1 (HIGH). A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin optio...

How severe is CVE-2024-7341?

CVE-2024-7341 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-7341?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Keycloak, Redhat Single Sign-On, Redhat Enterprise Linux, Redhat Build Of Keycloak.