Session Token Vulnerability in Red Hat Gluster Storage by Red Hat
CVE-2018-1127

4.2MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Gluster Storage
Vendor
CVE Published:
11 September 2018

Summary

The Tendrl API in Red Hat Gluster Storage prior to version 3.4.0 exhibits a significant session management flaw where session tokens are not promptly invalidated after user logout. This weakness allows an attacker who has intercepted or acquired session tokens through methods such as sniffing or man-in-the-middle attacks to retain access to the user’s session for a few minutes, thereby facilitating unauthorized authentication as the targeted user.

Affected Version(s)

Red Hat Gluster Storage 3.4.0

References

https://access.redhat.com/errata/RHSA-2018:2616
vendor-advisoryx_refsource_REDHAT
http://www.securitytracker.com/id/1041597
vdb-entryx_refsource_SECTRACK
https://github.com/Tendrl/api/pull/422
x_refsource_CONFIRM

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.