CVE-2024-7341 in Elytron
Summary
by MITRE • 09/09/2024
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/31/2025
The vulnerability identified as CVE-2024-7341 represents a critical session fixation weakness within Keycloak's SAML adapters that directly undermines the security of authentication flows. This issue manifests when users authenticate through SAML-enabled applications integrated with Keycloak, creating a scenario where attackers can exploit the lack of proper session management during the authentication process. The flaw specifically affects the session handling mechanism that should automatically regenerate session identifiers upon successful authentication, a fundamental security practice that prevents session hijacking attacks.
The technical implementation of this vulnerability stems from the failure to properly execute the session ID regeneration process even when administrators configure the turnOffChangeSessionIdOnLogin option. This configuration parameter is designed to disable automatic session ID changes during login, but the vulnerability demonstrates that the system does not properly enforce this setting or fails to implement alternative session management mechanisms. The flaw allows attackers to maintain their session identifier throughout the authentication process, enabling them to reuse existing session cookies to gain unauthorized access to user accounts. This behavior directly violates established security principles and creates a persistent attack vector that remains active even when security controls are explicitly configured.
From an operational impact perspective, this vulnerability exposes organizations using Keycloak SAML adapters to significant risk of unauthorized account access and potential data breaches. Attackers who successfully hijack sessions before authentication can exploit this flaw to maintain their privileged access, potentially gaining access to sensitive information, performing unauthorized transactions, or executing further attacks within the compromised systems. The vulnerability affects the core authentication mechanism of SAML-based applications, making it particularly dangerous for enterprise environments where single sign-on solutions are prevalent and security controls are paramount.
Security practitioners should address this vulnerability through immediate mitigation strategies including disabling the problematic SAML adapter configuration, implementing additional session monitoring controls, and ensuring proper session management practices are enforced. Organizations should also consider implementing additional authentication layers such as multi-factor authentication to reduce the impact of session fixation attacks. The vulnerability aligns with CWE-384, which specifically addresses session fixation issues in web applications, and maps to ATT&CK technique T1563.002 related to credentials from password stores. Organizations using Keycloak should also implement proper session timeout mechanisms, enforce secure cookie attributes, and conduct regular security assessments to identify similar vulnerabilities in their authentication infrastructure. The flaw underscores the critical importance of proper session management in identity and access management systems, particularly in SAML-based environments where session consistency is essential for maintaining security boundaries.