Overview
- Description
- A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
- Source
- f5sirt@f5.com
- NVD status
- Analyzed
Risk scores
CVSS 4.0
- Type
- Secondary
- Base score
- 5.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
Social media
- Hype score
- Not currently trending
『An attacker may be able to force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.』 K000148232: NGINX OpenID Connect vulnerability CVE-2024-10318 https://t.co/rY24uGVcu8
@autumn_good_35
10 Nov 2024
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2024-10318 (Published: 2024-11-06) - High severity vulnerability in F5 Networks. Affects specific versions of the product. Remediation is crucial! For detailed guidance, visit: https://t.co/wMPksnEdrN. Stay secure! 🔒 #CyberSecurity #F5Networks #CVE
@transilienceai
7 Nov 2024
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2024-10318 (Published: 2024-11-06) - A high-severity vulnerability in F5 Networks' products. Affected versions are at risk! 🔒 Ensure you update to the latest patches to mitigate potential exploits. For detailed remediation steps, visit: https://t.co/wMPksnEdrN… https://t.
@transilienceai
7 Nov 2024
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2024-10318 (Published: 2024-11-06) - High severity vulnerability in F5 Networks. Affects specific versions of their products. Remediation is crucial! For detailed guidance, visit: https://t.co/wMPksnEdrN. Stay secure! #CyberSecurity #F5Networks #CVE
@transilienceai
7 Nov 2024
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-10318 A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacke… https://t.co/NEFIyiFJXb
@CVEnew
6 Nov 2024
585 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_api_connectivity_manager:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E624284B-CE82-453E-826A-9EE55A23EABB",
"versionEndExcluding": "1.9.3",
"versionStartIncluding": "1.3.0"
},
{
"criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DA2D8A1D-8D1C-40AD-BF77-72CC7154DB42",
"versionEndIncluding": "1.12.5"
},
{
"criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "952208F5-8190-43A7-9C76-BE013518C475",
"versionEndIncluding": "2.4.2",
"versionStartIncluding": "2.2.1"
},
{
"criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "46CB1DD5-4B6F-41A4-8A34-9C6C595081A0",
"versionEndExcluding": "3.7.1",
"versionStartIncluding": "3.0.0"
},
{
"criteria": "cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1198CC09-9CEE-4695-BB75-8BA04735E653",
"versionEndExcluding": "2.17.4",
"versionStartIncluding": "2.5.0"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:f5:nginx_openid_connect:*:*:*:*:*:nginx_plus:*:*",
"vulnerable": true,
"matchCriteriaId": "55029B4C-3E0B-4159-8422-CE0AB7C1138C",
"versionEndExcluding": "2024-10-24"
}
],
"operator": "OR"
}
]
}
]