CVE-2018-1127

CWE-613 — Insufficient Session Expiration CWE-3846 documents5 sources

Severity

8.1HIGH

EPSS

0.4%

top 37.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Gluster Storage RED HAT RED HAT Gluster Storage

Timeline

PublishedSep 11

Latest updateMay 13

Description

Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages2 packages

▶NVDredhat/gluster_storage< 3.4

▶CVEListV5red_hat/red_hat_gluster_storage3.4.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-jwq3-h8rx-wcwj: Tendrl API in Red Hat Gluster Storage before 3↗2022-05-13

▶

CVEList

CVE-2018-1127: Tendrl API in Red Hat Gluster Storage before 3↗2018-09-11

▶

📋Vendor Advisories

Red Hat

tendrl-api: Improper cleanup of session token can allow attackers to hijack user sessions↗2018-05-08

▶

💬Community

Bugzilla

CVE-2018-16376 openjpeg: Heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c↗2018-09-06

▶

Bugzilla

CVE-2018-1127 tendrl-api: Improper cleanup of session token can allow attackers to hijack user sessions↗2018-05-08

▶