Session Fixation Vulnerability in NGINX OpenID Connect Reference Implementation
CVE-2024-10318

5.4MEDIUM

Key Information:

Vendor: NGINX
Status: Nginx Ingress Controller; Nginx Instance Manager; Nginx Api Connectivity Manager
Vendor: CVE Published:; 6 November 2024

What is CVE-2024-10318?

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

References

https://my.f5.com/manage/s/article/K000148232

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2024