CVE Vulnerabilities

CVE-2016-8609

Session Fixation

Published: Aug 01, 2018 | Modified: Nov 21, 2024
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
4.9 MODERATE
AV:N/AC:M/Au:S/C:P/I:P/A:N
RedHat/V3
3.7 MODERATE
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Ubuntu

It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the users session. This could lead to information disclosure, or permit further possible attacks.

Weakness

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Affected Software

Name Vendor Start Version End Version
Keycloak Redhat * 2.3.0 (excluding)
Red Hat Single Sign-On 7.0 RedHat *

Extended Description

Such a scenario is commonly observed when:

Potential Mitigations

References