CVE-2016-8638

EPSS 7.14%
Veröffentlicht 12.07.2017 13:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users.  This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ipsilon Project ≫ Ipsilon Version1.0.0

Ipsilon Project ≫ Ipsilon Version1.0.1

Ipsilon Project ≫ Ipsilon Version1.0.2

Ipsilon Project ≫ Ipsilon Version1.1.0

Ipsilon Project ≫ Ipsilon Version1.1.1

Ipsilon Project ≫ Ipsilon Version1.2.0

Ipsilon Project ≫ Ipsilon Version2.0.0

Ipsilon Project ≫ Ipsilon Version2.0.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.14%	0.906

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:N/A:P

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

http://rhn.redhat.com/errata/RHSA-2016-2809.html

http://www.securityfocus.com/bid/94439

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638

Third Party Advisory

Issue Tracking

https://ipsilon-project.org/advisory/CVE-2016-8638.txt

Vendor Advisory

https://ipsilon-project.org/release/2.1.0.html

https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c

Patch