#VU88797 Session Fixation in Keycloak - CVE-2023-6787

Cybersecurity Help s.r.o.

Published: 2024-04-17

Vulnerability identifier: #VU88797

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-6787

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote attacker to hijack session of another user.

The vulnerability exists due to an error in the re-authentication mechanism in org.keycloak.authentication. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Keycloak: 22.0.0 - 24.0.2

External links
https://github.com/keycloak/keycloak/security/advisories/GHSA-c9h6-v78w-52wj
https://access.redhat.com/errata/RHSA-2024:1867
https://access.redhat.com/errata/RHSA-2024:1868

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Keycloak