Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2024-10318 |
CWE-ID | CWE-384 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
NGINX Instance Manager Server applications / Web servers NGINX Ingress Controller Server applications / Web servers NGINX API Connectivity Manager Server applications / Other server solutions |
Vendor | F5 Networks |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU100049
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-10318
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise accounts of other users.
The vulnerability exists due to a session fixation issue within the NGINX OpenID Connect reference implementation. A remote user can associate a victim's session with an account controlled by the attacker and gain unauthorized access to the application.
Install updates from vendor's website.
Vulnerable software versionsNGINX Instance Manager: 2.5.0 - 2.17.3
NGINX Ingress Controller: 1.12.5 - 3.7.0
NGINX API Connectivity Manager: 1.3.0 - 1.9.2
CPE2.3http://my.f5.com/manage/s/article/K000148232
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.