First published: Wed Nov 06 2024(Updated: )
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
Credit: f5sirt@f5.com
Affected Software | Affected Version | How to fix |
---|---|---|
F5 NGINX Plus | 3 | |
F5 NGINX Instance Manager | >=2.5.0<=2.17.3 | 2.17.4 |
F5 NGINX API Connectivity Manager | >=1.3.0<=1.9.2 | 1.9.3 |
F5 NGINX Ingress Controller | >=3.0.0<=3.7.0 | 3.7.1 |
F5 NGINX Ingress Controller | >=2.2.1<=2.4.2 | |
F5 NGINX Ingress Controller | =1.12.5 | |
F5 NGINX API Connectivity Manager | >=1.3.0<1.9.3 | |
F5 NGINX Ingress Controller | <=1.12.5 | |
F5 NGINX Ingress Controller | >=2.2.1<=2.4.2 | |
F5 NGINX Ingress Controller | >=3.0.0<3.7.1 | |
F5 NGINX Instance Manager | >=2.5.0<2.17.4 | |
F5 Nginx Openid Connect Nginx Plus | <2024-10-24 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.