CVE-2018-1127 MEDIUM

CVE-2018-1127

Vendor Red Hat
Product Red Hat Gluster Storage
Weakness CWE-613 · Insufficient session expiration
Published September 11, 2018
Last update August 5, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.

Key dates

02Disclosure timeline

September 11, 2018 CVE published
August 5, 2024 Record updated