Vulnerability Description
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Nginx Api Connectivity Manager | >= 1.3.0, < 1.9.3 |
| F5 | Nginx Ingress Controller | <= 1.12.5 |
| F5 | Nginx Instance Manager | >= 2.5.0, < 2.17.4 |
| F5 | Nginx Openid Connect | < 2024-10-24 |
Related Weaknesses (CWE)
References
- https://my.f5.com/manage/s/article/K000148232MitigationVendor Advisory
FAQ
What is CVE-2024-10318?
CVE-2024-10318 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an ...
How severe is CVE-2024-10318?
CVE-2024-10318 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-10318?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx Api Connectivity Manager, F5 Nginx Ingress Controller, F5 Nginx Instance Manager, F5 Nginx Openid Connect.