CVE-2024-10318

CWE-3845 documents5 sources
Severity
5.1MEDIUM
EPSS
1.1%
top 22.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
F5 Nginx API Connectivity ManagerF5 Nginx Ingress ControllerF5 Nginx Instance Manager+1 more
Timeline
PublishedNov 6

Description

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages8 packages

CVEListV5f5/nginx_openid_connectfa1ad160e2637d1d583611124478039170d726ab133504f4fd9f72f3e36668f9f2f3d32a86fcb269
NVDf5/nginx_openid_connect< 2024-10-24
CVEListV5f5/nginx_api_connectivity_manager1.0.01.9.3
CVEListV5f5/nginx_instance_manager2.5.02.17.4

🔴Vulnerability Details

2
GHSA
GHSA-8mqv-23wv-wqfg: A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time2024-11-06
CVEList
NGINX OpenID Connect Vulnerability2024-11-06

📋Vendor Advisories

2
F5
CVE-2024-10318: A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not c...2024-11-06
Red Hat
openidconnect: NGINX OpenID Connect Vulnerability2024-11-06
CVE-2024-10318 (MEDIUM CVSS 5.1) | A session fixation issue was discov | cvebase.io