GHSA-j76j-rqwj-jmvv

Suggest an improvement
Source
https://github.com/advisories/GHSA-j76j-rqwj-jmvv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-j76j-rqwj-jmvv/GHSA-j76j-rqwj-jmvv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j76j-rqwj-jmvv
Aliases
Related
Published
2024-09-09T21:31:22Z
Modified
2024-09-27T14:50:37.599628Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Keycloak Session Fixation vulnerability
Details

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Database specific 
{
    "nvd_published_at": "2024-09-09T19:15:14Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-09T22:33:50Z"
}
References

Affected packages

Maven / org.keycloak:keycloak-services

Package

Name
org.keycloak:keycloak-services
View open source insights on deps.dev
Purl
pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type
ECOSYSTEM
Events
Introduced
25.0.0
Fixed
25.0.5

Affected versions

25.*

25.0.0
25.0.1
25.0.2
25.0.3
25.0.4

Maven / org.keycloak:keycloak-services

Package

Name
org.keycloak:keycloak-services
View open source insights on deps.dev
Purl
pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.0.12

Affected versions

1.*

1.0-alpha-1
1.0-alpha-1-12062013
1.0-alpha-2
1.0-alpha-3
1.0-alpha-4
1.0-beta-1
1.0-beta-1-20150521
1.0-beta-1-20150523
1.0-beta-2
1.0-beta-3
1.0-beta-4
1.0-rc-1
1.0-rc-2
1.0-final
1.0.1.Final
1.0.2.Final
1.0.3.Final
1.0.4.Final
1.0.5.Final
1.1.0.Beta1
1.1.0.Beta2
1.1.0.Final
1.1.1.Final
1.2.0.Beta1
1.2.0.CR1
1.2.0.Final
1.3.0.Final
1.3.1.Final
1.4.0.Final
1.5.0-Final
1.5.0.Final
1.5.1.Final
1.6.0.Final
1.6.1.Final
1.7.0.CR1
1.7.0.Final
1.8.0.Alpha1
1.8.0.CR1
1.8.0.CR2
1.8.0.CR3
1.8.0.Final
1.8.1.Final
1.9.0.CR1
1.9.0.Final
1.9.1.Final
1.9.2.Final
1.9.3.Final
1.9.4.Final
1.9.5.Final
1.9.7.Final
1.9.8.Final

2.*

2.0.0.CR1
2.0.0.Final
2.1.0.CR1
2.1.0.Final
2.2.0.CR1
2.2.0.Final
2.2.1.Final
2.3.0.CR1
2.3.0.Final
2.4.0.CR1
2.4.0.Final
2.5.0.CR1
2.5.0.Final
2.5.1.Final
2.5.4.Final
2.5.5.Final

3.*

3.0.0.CR1
3.0.0.Final
3.1.0.CR1
3.1.0.Final
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.3.0.CR1
3.3.0.CR2
3.3.0.Final
3.4.0.CR1
3.4.0.Final
3.4.1.CR1
3.4.1.Final
3.4.2.Final
3.4.3.Final

4.*

4.0.0.Beta1
4.0.0.Beta2
4.0.0.Beta3
4.0.0.Final
4.1.0.Final
4.2.0.Final
4.2.1.Final
4.3.0.Final
4.4.0.Final
4.5.0.Final
4.6.0.Final
4.7.0.Final
4.8.0.Final
4.8.1.Final
4.8.2.Final
4.8.3.Final

5.*

5.0.0

6.*

6.0.0
6.0.1

7.*

7.0.0
7.0.1

8.*

8.0.0
8.0.1
8.0.2

9.*

9.0.0
9.0.2
9.0.3

10.*

10.0.0
10.0.1
10.0.2

11.*

11.0.0
11.0.1
11.0.2
11.0.3

12.*

12.0.0
12.0.1
12.0.2
12.0.3
12.0.4

13.*

13.0.0
13.0.1

14.*

14.0.0

15.*

15.0.0
15.0.1
15.0.2
15.1.0
15.1.1

16.*

16.0.0
16.1.0
16.1.1

17.*

17.0.0
17.0.1

18.*

18.0.0
18.0.1
18.0.2

19.*

19.0.0
19.0.1
19.0.2
19.0.3

20.*

20.0.0
20.0.1
20.0.2
20.0.3
20.0.4
20.0.5

21.*

21.0.0
21.0.1
21.0.2
21.1.0
21.1.1
21.1.2

22.*

22.0.0
22.0.1
22.0.2
22.0.3
22.0.4
22.0.5

Maven / org.keycloak:keycloak-services

Package

Name
org.keycloak:keycloak-services
View open source insights on deps.dev
Purl
pkg:maven/org.keycloak/keycloak-services

Affected ranges

Type
ECOSYSTEM
Events
Introduced
23.0.0
Fixed
24.0.7

Affected versions

23.*

23.0.0
23.0.1
23.0.2
23.0.3
23.0.4
23.0.5
23.0.6
23.0.7

24.*

24.0.0
24.0.1
24.0.2
24.0.3
24.0.4
24.0.5