CVE-2024-10318 MEDIUM

CVE-2024-10318: NGINX OpenID Connect Vulnerability

Vendor F5

Product NGINX OpenID Connect

Weakness CWE-384 · Session fixation

Published November 6, 2024

Last update November 6, 2024

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

Description

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

Key dates

Disclosure timeline

November 6, 2024 CVE published

November 6, 2024 Record updated

Identifiers

CVE CVE-2024-10318

CWE CWE-384

CVSS 5.4 / MEDIUM

Affected versions

Vendor F5

Product NGINX OpenID Connect

Affected ≥ fa1ad160e2637d1d583611124478039170d726ab and < 133504f4fd9f72f3e36668f9f2f3d32a86fcb269

Vendor F5

Product NGINX Instance Manager

Affected ≥ 2.5.0 and < 2.17.4

Vendor F5

Product NGINX API Connectivity Manager

Affected ≥ 1.0.0 and < 1.9.3

Vendor F5

Product NGINX Ingress Controller

Affected ≥ 1.0.0 and < 3.7.1