CVE-2024-10318

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
References
Link Resource
https://my.f5.com/manage/s/article/K000148232 Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:f5:nginx_openid_connect:*:*:*:*:*:nginx_plus:*:*

History

08 Nov 2024, 19:51

Type Values Removed Values Added
First Time F5 nginx Api Connectivity Manager
F5 nginx Ingress Controller
F5 nginx Instance Manager
F5 nginx Openid Connect
F5
Summary
  • (es) Se descubrió un problema de fijación de sesión en la implementación de referencia de NGINX OpenID Connect, donde no se verificaba un nonce en el momento de iniciar sesión. Esta falla permite que un atacante fije la sesión de una víctima a una cuenta controlada por el atacante. Como resultado, aunque el atacante no puede iniciar sesión como la víctima, puede forzar la sesión para asociarla con la cuenta controlada por el atacante, lo que lleva a un posible uso indebido de la sesión de la víctima.
References () https://my.f5.com/manage/s/article/K000148232 - () https://my.f5.com/manage/s/article/K000148232 - Mitigation, Vendor Advisory
CPE cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_openid_connect:*:*:*:*:*:nginx_plus:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:*

06 Nov 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-06 17:15

Updated : 2024-11-08 19:51


NVD link : CVE-2024-10318

Mitre link : CVE-2024-10318

CVE.ORG link : CVE-2024-10318


JSON object : View

Products Affected

f5

  • nginx_ingress_controller
  • nginx_openid_connect
  • nginx_api_connectivity_manager
  • nginx_instance_manager
CWE
CWE-384

Session Fixation