Home > Vulnerability Database > CVE-2024-7341

Mend.io Vulnerability Database

CVE-2024-7341

Good to know:

Date: September 9, 2024

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Language: Java

Severity Score

7.1

Related Resources (18)

Url: https://access.redhat.com/errata/RHSA-2024:6495

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7341

Url: https://access.redhat.com/errata/RHSA-2024:6494

Url: https://access.redhat.com/errata/RHSA-2024:6493

Url: https://access.redhat.com/errata/RHSA-2024:6500

Url: https://access.redhat.com/errata/RHSA-2024:6499

Url: https://github.com/keycloak/keycloak/commit/5e06da2f6794c695051605e26a01affa3a18f66b

Url: https://access.redhat.com/errata/RHSA-2024:6497

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2302064

Url: https://access.redhat.com/security/cve/CVE-2024-7341

Url: https://access.redhat.com/errata/RHSA-2024:6503

Url: https://github.com/keycloak/keycloak/commit/2341d6ee7a3567c58fd6a04a419fe4403e13374c

Url: https://access.redhat.com/errata/RHSA-2024:6502

Url: https://access.redhat.com/errata/RHSA-2024:6501

Url: https://github.com/keycloak/keycloak/security/advisories/GHSA-5rxp-2rhr-qwqv

Url: https://github.com/keycloak/keycloak/commit/5b3de0c7e7f367103affe2f5167913a2ce021cf1

Url: https://github.com/keycloak/keycloak

Url: https://www.mend.io/vulnerability-database/CVE-2024-7341

Severity Score

7.1

Weakness Type (CWE)

Session Fixation

CWE-384

Top Fix

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:25.0.5

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7341

Good to know:

Date: September 9, 2024

Language: Java

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?