CVE-2014-3616 — Insufficient Session Expiration in F5 Nginx

CWE-613 — Insufficient Session Expiration10 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

2.4%

top 14.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Nginx Debian Linux

Timeline

PublishedDec 8

Latest updateMay 13

Description

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDf5/nginx0.5.6 — 1.6.2+1

▶Debianf5/nginx< 1.6.2-1+3

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

GHSA

GHSA-ch64-2v27-7pwp: nginx 0↗2022-05-13

▶

CVEList

CVE-2014-3616: nginx 0↗2014-12-08

▶

OSV

CVE-2014-3616: nginx 0↗2014-12-08

▶

📋Vendor Advisories

Ubuntu

nginx vulnerability↗2014-09-22

▶

Red Hat

nginx: virtual host confusion↗2014-08-06

▶

Debian

CVE-2014-3616: nginx - nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_s...↗2014

▶

💬Community

Bugzilla

CVE-2014-3616 nginx: virtual host confusion [epel-all]↗2014-09-17

▶

Bugzilla

CVE-2014-3616 nginx: virtual host confusion↗2014-09-17

▶

Bugzilla

CVE-2014-3616 nginx: virtual host confusion [fedora-all]↗2014-09-17

▶