Session Fixation Affecting keycloak-fips package, versions <25.0.4-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Exploit Maturity
Not Defined
EPSS
0.19% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-KEYCLOAKFIPS-7926505
  • published10 Sept 2024
  • disclosed9 Sept 2024

Introduced: 9 Sep 2024

CVE-2024-7341  (opens in a new tab)
CWE-384  (opens in a new tab)

How to fix?

Upgrade Chainguard keycloak-fips to version 25.0.4-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream keycloak-fips package and not the keycloak-fips package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

CVSS Scores

version 3.1