AIKIDO-2024-10366
keycloak-saml-wildfly-elytron-adapter is vulnerable to Session Fixation
75
High Risk
This Affects:
keycloak-saml-wildfly-elytron-adapterTL;DR
Affected versions of the package are vulnerable to session fixation due to improper handling of session IDs and JSESSIONID cookies during the login process. An attacker can exploit this vulnerability by providing a pre-set session ID, which the application then uses, allowing the attacker to hijack the session after the user logs in.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
keycloak-saml-wildfly-elytron-adapter is vulnerable to Session Fixation in versions 0.0.1 - 22.0.11, 24.0.0 - 24.0.6 and 25.0.0 - 25.0.4.
How to fix this
Upgrade the org.keycloak:keycloak-saml-wildfly-elytron-adapter library to a patch version.
Links
CVE Detail
Other
access.redhat.com/errata/RHSA-2024:6493access.redhat.com/errata/RHSA-2024:6494access.redhat.com/errata/RHSA-2024:6495access.redhat.com/errata/RHSA-2024:6497access.redhat.com/errata/RHSA-2024:6499access.redhat.com/errata/RHSA-2024:6500access.redhat.com/errata/RHSA-2024:6501access.redhat.com/errata/RHSA-2024:6502access.redhat.com/errata/RHSA-2024:6503access.redhat.com/security/cve/CVE-2024-7341bugzilla.redhat.com/show_bug.cgi?id=2302064
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant