CVE-2024-7341 is a session fixation vulnerability identified in the SAML adapters of Keycloak, an open-source identity and access management solution widely used for single sign-on (SSO) and identity federation. The vulnerability arises because the session ID and the JSESSIONID cookie are not regenerated upon user login, even when the configuration option turnOffChangeSessionIdOnLogin is enabled. This improper session management allows an attacker who can hijack or fixate a session prior to authentication to maintain control of that session after the victim logs in. The attacker can thus impersonate the victim, gaining unauthorized access to protected resources. The flaw affects Keycloak versions 0, 23.0.0, and 25.0.0, indicating it spans multiple releases. The CVSS v3.1 score of 7.1 reflects a high severity level, with attack vector being network-based, requiring low privileges and user interaction, and impacting confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments relying on Keycloak for SAML-based authentication. The issue highlights a critical failure in session fixation protection mechanisms, which are fundamental to secure authentication workflows.

The impact of CVE-2024-7341 is substantial for organizations using Keycloak as their identity provider, particularly those leveraging SAML adapters for federated authentication. Successful exploitation allows attackers to hijack authenticated sessions, leading to unauthorized access to sensitive applications and data. This compromises confidentiality by exposing user data, integrity by allowing unauthorized actions under the victim's identity, and availability if attackers disrupt sessions or perform malicious activities. The vulnerability can facilitate lateral movement within networks, privilege escalation, and data breaches. Given Keycloak's widespread adoption in enterprises, government agencies, and cloud services, the threat can affect a broad range of sectors including finance, healthcare, technology, and public administration. The requirement for user interaction and low privilege reduces ease of exploitation but does not eliminate risk, especially in targeted attacks or phishing scenarios. The absence of known exploits in the wild currently limits immediate impact but organizations should act proactively.

To mitigate CVE-2024-7341, organizations should prioritize updating Keycloak to versions where this vulnerability is patched once official fixes are released. In the interim, administrators should review and adjust session management configurations to ensure session IDs are regenerated upon login, overriding or disabling the turnOffChangeSessionIdOnLogin option if necessary. Implementing additional security controls such as multi-factor authentication (MFA) can reduce the risk of session hijacking. Monitoring and logging authentication events and session anomalies can help detect exploitation attempts. Network segmentation and limiting exposure of Keycloak endpoints to trusted networks reduce attack surface. Educating users about phishing and social engineering risks can prevent attackers from obtaining initial session fixation opportunities. Finally, conducting regular security assessments and penetration testing focused on authentication flows will help identify and remediate session management weaknesses.