This vulnerability involves session fixation in the Elytron SAML adapters used by Keycloak, where the session ID and JSESSIONID cookie remain unchanged at login time despite configuration settings intended to prevent this. An attacker who obtains a valid session before authentication can exploit this flaw to maintain control over the session after login, potentially leading to unauthorized access. The issue affects Red Hat Single Sign-On 7.6 versions on RHEL 7 and RHEL 8. Red Hat has issued security advisories RHSA-2024:6493 and RHSA-2024:6494, releasing updated packages (7.6.10) that fix this vulnerability.

The vulnerability allows an attacker to perform session fixation by hijacking a session prior to authentication and maintaining control over it after login. This can lead to unauthorized access with the privileges of the authenticated user. The CVSS v3.1 base score is 7.1 (High), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges and user interaction.

Red Hat has released updated packages for Red Hat Single Sign-On 7.6.10 on RHEL 7 and RHEL 8 that address this session fixation vulnerability. Users should apply these security updates promptly. Before applying the update, ensure all previously released errata relevant to the system are applied. Refer to Red Hat's official guidance at https://access.redhat.com/articles/11258 for update procedures. No additional mitigation steps are indicated by the vendor advisory.