CVE-2024-7341

Published: Sep 9, 2024

Modified: Apr 1, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Vendor	Product	Versions
Unknown	org.keycloak:keycloak-services	affected `0 - < 22.0.12` affected `23.0.0 - < 24.0.7` affected `25.0.0 - < 25.0.5`
Red Hat	Red Hat Build of Keycloak	All versions
Red Hat	Red Hat Build of Keycloak	All versions
Red Hat	Red Hat build of Keycloak 22	unaffected `22.0.12-1 - < *`
Red Hat	Red Hat build of Keycloak 22	unaffected `22-17 - < *`
Red Hat	Red Hat build of Keycloak 22	unaffected `22-20 - < *`
Red Hat	Red Hat build of Keycloak 24	unaffected `24.0.7-4 - < *`
Red Hat	Red Hat build of Keycloak 24	unaffected `24-16 - < *`
Red Hat	Red Hat build of Keycloak 24	unaffected `24-16 - < *`
Red Hat	Red Hat Single Sign-On 7	All versions
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 7	unaffected `0:18.0.16-1.redhat_00001.1.el7sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 8	unaffected `0:18.0.16-1.redhat_00001.1.el8sso - < *`
Red Hat	Red Hat Single Sign-On 7.6 for RHEL 9	unaffected `0:18.0.16-1.redhat_00001.1.el9sso - < *`
Red Hat	RHEL-8 based Middleware Containers	unaffected `7.6-52 - < *`
Red Hat	Red Hat JBoss Enterprise Application Platform 8	All versions
Red Hat	Red Hat JBoss Enterprise Application Platform 8	All versions