Bug 2302064 (CVE-2024-7341)
| Summary: | CVE-2024-7341 wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, dpalmer, drichtar, fjuma, istudens, ivassile, iweiss, jkoops, josephasmith1310, lgao, mosmerov, msochure, msvehla, mulliken, nwallace, pdrozd, peholase, pjindal, pmackay, pskopek, rmartinc, rowaters, rstancel, security-response-team, smaestri, sthorger, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2024-09-09 | ||
|
Description
Robb Gatica
2024-07-31 15:15:26 UTC
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2024:6499 https://access.redhat.com/errata/RHSA-2024:6499 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2024:6493 https://access.redhat.com/errata/RHSA-2024:6493 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2024:6494 https://access.redhat.com/errata/RHSA-2024:6494 This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:6501 https://access.redhat.com/errata/RHSA-2024:6501 This issue has been addressed in the following products: Red Hat build of Keycloak 24 Via RHSA-2024:6502 https://access.redhat.com/errata/RHSA-2024:6502 This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:6503 https://access.redhat.com/errata/RHSA-2024:6503 This issue has been addressed in the following products: Red Hat build of Keycloak 22 Via RHSA-2024:6500 https://access.redhat.com/errata/RHSA-2024:6500 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2024:6495 https://access.redhat.com/errata/RHSA-2024:6495 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:6497 https://access.redhat.com/errata/RHSA-2024:6497 (In reply to errata-xmlrpc from comment #9) > This issue has been addressed in the following products: > > RHEL-8 based Middleware Containers > > Via RHSA-2024:6497 https://access.redhat.com/errata/RHSA-2024:6497 https://101games.io Yess |