CVE-2019-8978 — HIGH (8.1) — White Hats Nepal

Vulnerability Description

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

CVSS Score

8.1

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ellucian	Banner Enterprise Identity Services	8.3
Ellucian	Banner Web Tailor	8.8.3

Related Weaknesses (CWE)

CWE-287 CWE-362

References

http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-EnThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/May/18Mailing ListThird Party Advisory
https://ecommunities.ellucian.com/message/252749#252749Permissions Required
https://ecommunities.ellucian.com/message/252810#252810Permissions Required
https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txtThird Party Advisory
https://seclists.org/bugtraq/2019/May/31Mailing ListThird Party Advisory
http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-EnThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/May/18Mailing ListThird Party Advisory
https://ecommunities.ellucian.com/message/252749#252749Permissions Required
https://ecommunities.ellucian.com/message/252810#252810Permissions Required
https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txtThird Party Advisory
https://seclists.org/bugtraq/2019/May/31Mailing ListThird Party Advisory

FAQ

What is CVE-2019-8978?

CVE-2019-8978 is a vulnerability with a CVSS score of 8.1 (HIGH). An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8...

How severe is CVE-2019-8978?

CVE-2019-8978 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-8978?

Check the references section above for vendor advisories and patch information. Affected products include: Ellucian Banner Enterprise Identity Services, Ellucian Banner Web Tailor.