Unrated severityNVD Advisory· Published Nov 6, 2024· Updated Nov 6, 2024

NGINX OpenID Connect Vulnerability

CVE-2024-10318

Description

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

Affected products

F5, Inc./Nginx Api Connectivity Managerv5
Range: 1.0.0
F5 Networks, Inc./Nginx Instance Managerv5
Range: 2.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

my.f5.com/manage/s/article/K000148232mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000