Описание
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
Ссылки
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingVendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Одно из
EPSS
6.5 Medium
CVSS3
8.8 High
CVSS3
Дефекты
Связанные уязвимости
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
A flaw was found in Keycloak that occurs from an error in the re-authe ...
Keycloak vulnerable to session hijacking via re-authentication
Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с недостатками процедуры аутентификации, позволяющая нарушителю перехватить активный сеанс
EPSS
6.5 Medium
CVSS3
8.8 High
CVSS3