9.1
CVE-2016-8638
- EPSS 2.12%
- Veröffentlicht 12.07.2017 13:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
LoginA vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ipsilon Project ≫ Ipsilon Version1.0.0
Ipsilon Project ≫ Ipsilon Version1.0.1
Ipsilon Project ≫ Ipsilon Version1.0.2
Ipsilon Project ≫ Ipsilon Version1.1.0
Ipsilon Project ≫ Ipsilon Version1.1.1
Ipsilon Project ≫ Ipsilon Version1.2.0
Ipsilon Project ≫ Ipsilon Version2.0.0
Ipsilon Project ≫ Ipsilon Version2.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.12% | 0.795 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
|
| nvd@nist.gov | 6.4 | 10 | 4.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:P
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
http://rhn.redhat.com/errata/RHSA-2016-2809.html
http://www.securityfocus.com/bid/94439
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638
https://ipsilon-project.org/advisory/CVE-2016-8638.txt
https://ipsilon-project.org/release/2.1.0.html
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c