A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
References
Link | Resource |
---|---|
https://my.f5.com/manage/s/article/K000148232 | Mitigation Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
08 Nov 2024, 19:51
Type | Values Removed | Values Added |
---|---|---|
First Time |
F5 nginx Api Connectivity Manager
F5 nginx Ingress Controller F5 nginx Instance Manager F5 nginx Openid Connect F5 |
|
Summary |
|
|
References | () https://my.f5.com/manage/s/article/K000148232 - Mitigation, Vendor Advisory | |
CPE | cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_openid_connect:*:*:*:*:*:nginx_plus:*:* cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:* |
06 Nov 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-06 17:15
Updated : 2024-11-08 19:51
NVD link : CVE-2024-10318
Mitre link : CVE-2024-10318
CVE.ORG link : CVE-2024-10318
JSON object : View
Products Affected
f5
- nginx_ingress_controller
- nginx_openid_connect
- nginx_api_connectivity_manager
- nginx_instance_manager
CWE
CWE-384
Session Fixation