CVE-2024-10318

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-10318
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://my.f5.com/manage/s/article/K000148232 Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:f5:nginx_openid_connect:*:*:*:*:*:nginx_plus:*:*
History

08 Nov 2024, 19:51

Type Values Removed Values Added
First Time F5 nginx Api Connectivity Manager
F5 nginx Ingress Controller
F5 nginx Instance Manager
F5 nginx Openid Connect
F5
Summary
  • (es) Se descubrió un problema de fijación de sesión en la implementación de referencia de NGINX OpenID Connect, donde no se verificaba un nonce en el momento de iniciar sesión. Esta falla permite que un atacante fije la sesión de una víctima a una cuenta controlada por el atacante. Como resultado, aunque el atacante no puede iniciar sesión como la víctima, puede forzar la sesión para asociarla con la cuenta controlada por el atacante, lo que lleva a un posible uso indebido de la sesión de la víctima.
References () https://my.f5.com/manage/s/article/K000148232 - () https://my.f5.com/manage/s/article/K000148232 - Mitigation, Vendor Advisory
CPE cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_openid_connect:*:*:*:*:*:nginx_plus:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:*

06 Nov 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-06 17:15

Updated : 2024-11-08 19:51

NVD link : CVE-2024-10318

Mitre link : CVE-2024-10318

CVE.ORG link : CVE-2024-10318

JSON object : View

Products Affected

f5

  • nginx_api_connectivity_manager
  • nginx_instance_manager
  • nginx_openid_connect
  • nginx_ingress_controller
CWE
CWE-384

Session Fixation


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024