CVE-2024-10318

Опубликовано: 06 нояб. 2024

Источник: redhat

CVSS3: 5.4

EPSS Низкий

Описание

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

A session fixation vulnerability was found in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, potentially misusing the victim's session.

Отчет

This flaw affects the nginx-openid-connect reference implementation, which is not shipped in any Red Hat products.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Trusted Artifact Signer	rhtas/tuftool-rhel9	Not affected
Red Hat Trusted Profile Analyzer	rhtpa/rhtpa-trustification-service-rhel9	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-384

https://bugzilla.redhat.com/show_bug.cgi?id=2324216openidconnect: NGINX OpenID Connect Vulnerability

EPSS

Процентиль: 68%

0.00578

Низкий

5.4 Medium

CVSS3

Связанные уязвимости

CVE-2024-10318

CVSS3: 5.4

nvd

больше 1 года назад

GHSA-8mqv-23wv-wqfg

CVSS3: 5.4

github

больше 1 года назад

BDU:2024-09507

CVSS3: 5.4

fstec

больше 1 года назад

Уязвимость модуля аутентификацию через протокол OpenID Connect веб-сервера NGINX, связанная с некорректным управлением сеансом, позволяющая нарушителю получить полный доступ к приложению

EPSS

Процентиль: 68%

0.00578

Низкий

5.4 Medium

CVSS3