{"id":"CVE-2024-7341","details":"A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.","aliases":["GHSA-5rxp-2rhr-qwqv"],"modified":"2026-04-02T12:26:13.707554Z","published":"2024-09-09T19:15:14.450Z","related":["CGA-p6wf-f8v7-hhxc"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2024-7341"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2302064"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6500"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6501"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6502"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6493"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6497"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6503"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6494"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6495"},{"type":"ARTICLE","url":"https://access.redhat.com/errata/RHSA-2024:6499"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keycloak/keycloak","events":[{"introduced":"0"},{"last_affected":"4ec23809f6b23e76bae7e1b1765f9d7c2c930680"},{"introduced":"b825ba97b489d715f7ca1984c19bd95afb355a38"},{"fixed":"8dccc90db0b1ed6c885973f2baa86ad8507671f9"},{"introduced":"a43d7b1cd6fe713e491aafdc8c618721d34f10e6"},{"fixed":"940b03ea9cc7c579aa3185e4d995a45d10b0c254"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"25.0.2"},{"introduced":"22.0"},{"fixed":"22.0.12"},{"introduced":"24.0"},{"fixed":"24.0.7"}]}}],"versions":["1.0-alpha-1","1.0-alpha-1-12062013","1.0-alpha-2","1.0-alpha-3","1.0-beta-1","1.0-beta-1-20150521","1.0-beta-1-20150523","1.0-beta-2","1.0-beta-3","1.0-beta-4","1.0-final","1.0-rc-1","1.0-rc-2","1.0.0.Final","1.0.1.Final","1.0.2.Final","1.0.3.Final","1.0.4.Final","1.0.5.Final","1.1.0.Beta1","1.1.0.Beta2","1.1.0.Final","1.1.1.Final","1.2.0.Beta1","1.2.0.CR1","1.2.0.CR1-redhat-1","1.2.0.Final","1.2.0.Final-redhat-1","1.2.0.Final-redhat-2","1.3.0.Final","1.3.1.Final","1.4.0.Final","1.5.0.Final","1.5.0.Final-redhat-1","1.5.1.Final","1.5.1.Final-redhat-1","1.5.1.Final-redhat-2","1.6.0.Final","1.6.0.Final-redhat-1","1.6.1.Final","1.6.1.Final-redhat-1","1.7.0.CR1","1.7.0.CR1-redhat-1","1.7.0.Final","1.7.0.Final-redhat-1","1.8.0.Alpha1","1.8.0.CR1","1.8.0.CR1-redhat-1","1.8.0.CR1-redhat-2","1.8.0.CR2","1.8.0.CR2-redhat-1","1.8.0.CR2-redhat-1-EAP-7","1.8.0.CR3","1.8.0.Final","1.8.0.Final-redhat-1","1.8.1.Final","1.8.1.Final-redhat-1","1.8.2.Final","1.8.2.Final-redhat-1","1.9.0.CR1","1.9.0.CR1-redhat-1","1.9.0.CR1-redhat-2","1.9.0.Final","1.9.0.Final-redhat-1","1.9.1.Final","1.9.2.Final","1.9.2.Test","1.9.3.Final","1.9.4.Final","1.9.5.Final","1.9.6.Final","1.9.7.Final","1.9.8.Final","10.0.0","10.0.1","10.0.2","11.0.0","11.0.1","11.0.2","11.0.3","12.0.0","12.0.1","12.0.2","12.0.3","12.0.4","13.0.0","13.0.1","14.0.0","15.0.0","15.0.1","15.0.2","15.1.0","15.1.1","16.0.0","16.1.0","16.1.1","17.0.0","17.0.0-2","17.0.0-3","17.0.0-4","17.0.0-5","17.0.0-6","17.0.1","18.0.0","18.0.1","18.0.2","19.0.0","19.0.1","19.0.2","19.0.3","2.0.0.CR1","2.0.0.Final","2.0.0.Test2","2.1.0.CR1","2.1.0.Final","2.2.0.CR1","2.2.0.Final","2.2.0.Test1","2.2.1.Final","2.3.0.CR1","2.3.0.Final","2.4.0.CR1","2.4.0.Final","2.4.0.Test","2.5.0.CR1","2.5.0.Final","2.5.1.Final","2.5.10.Final","2.5.2.Final","2.5.3.Final","2.5.4.Final","2.5.5.Final","2.5.6.Final","2.5.7.Final","2.5.8.Final","2.5.9.Final","20.0.0","20.0.1","20.0.2","20.0.3","20.0.4","20.0.5","21.0.0","21.0.1","21.0.2","21.1.0","21.1.1","21.1.2","22.0.0","22.0.1","22.0.10","22.0.11","22.0.13","22.0.2","22.0.3","22.0.4","22.0.5","22.0.6","22.0.7","22.0.8","22.0.9","23.0.0","23.0.1","23.0.2","23.0.3","23.0.4","23.0.5","23.0.6","23.0.7","24.0.0","24.0.1","24.0.10","24.0.2","24.0.3","24.0.4","24.0.5","24.0.6","24.0.8","24.0.9","25.0.0","25.0.1","25.0.2","25.0.3","25.0.4","25.0.5","25.0.6","26.0.0","26.0.1","26.0.10","26.0.11","26.0.12","26.0.13","26.0.14","26.0.15","26.0.16","26.0.17","26.0.2","26.0.3","26.0.4","26.0.5","26.0.6","26.0.7","26.0.8","26.0.9","26.1.0","26.1.1","26.1.2","26.1.3","26.1.4","26.1.5","26.2.0","26.2.1","26.2.10","26.2.11","26.2.12","26.2.2","26.2.3","26.2.4","26.2.5","26.2.6","26.2.7","26.2.8","26.2.9","26.3.0","26.3.1","26.3.2","26.3.3","26.3.4","26.3.5","26.4.0","26.4.1","26.4.2","26.4.3","26.4.4","26.4.5","26.4.6","26.4.7","26.4.8","26.5.0","26.5.1","26.5.2","3.0.0.CR1","3.0.0.Final","3.1.0.CR1","3.1.0.Final","3.1.1.Final-rhsso","3.2.0.CR1","3.2.0.Final","3.2.0.Final-rhsso","3.2.1.Final","3.3.0.CR1","3.3.0.CR2","3.3.0.Final","3.4.0.CR1","3.4.0.Final","3.4.1.CR1","3.4.1.Final","3.4.2.Final","3.4.3.Final","3.4.3.Final-2","4.0.0.Beta1","4.0.0.Beta2","4.0.0.Beta3","4.0.0.Final","4.1.0.Final","4.2.0.Final","4.2.1.Final","4.3.0.Final","4.4.0.Final","4.5.0.Final","4.6.0.Final","4.6.0.Tmp","4.7.0.Final","4.8.0.Final","4.8.1.Final","4.8.2.Final","4.8.3.Final","5.0.0","6.0.0","6.0.1","7.0.0","7.0.1","8.0.0","8.0.1","8.0.2","9.0.0","9.0.2","9.0.3","nightly"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7341.json","unresolved_ranges":[{"events":[{"introduced":"7.6"},{"fixed":"7.6.10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}