Описание
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Single Sign-On 7 | rh-sso7-keycloak | Will not fix | ||
| Red Hat build of Keycloak 22 | rhbk/keycloak-operator-bundle | Fixed | RHSA-2024:1867 | 16.04.2024 |
| Red Hat build of Keycloak 22 | rhbk/keycloak-rhel9 | Fixed | RHSA-2024:1867 | 16.04.2024 |
| Red Hat build of Keycloak 22 | rhbk/keycloak-rhel9-operator | Fixed | RHSA-2024:1867 | 16.04.2024 |
| Red Hat build of Keycloak 22.0.10 | keycloak-core | Fixed | RHSA-2024:1868 | 16.04.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session.
A flaw was found in Keycloak that occurs from an error in the re-authe ...
Keycloak vulnerable to session hijacking via re-authentication
Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с недостатками процедуры аутентификации, позволяющая нарушителю перехватить активный сеанс
EPSS
6.5 Medium
CVSS3