CVE-2017-11191
HIGHFreeIPA 4.x - Authenticated Session Fixation via Old Session ID
Title source: llmDescription
FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern
References (1)
Core 1
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/143532/FreeIPA-2.213-Session-Hijacking.html
Scores
CVSS v3
8.8
EPSS
0.0169
EPSS Percentile
74.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-384
Status
published
Products (31)
freeipa/freeipa
4.0.0
freeipa/freeipa
4.0.1
freeipa/freeipa
4.0.2
freeipa/freeipa
4.0.3
freeipa/freeipa
4.0.4
freeipa/freeipa
4.0.5
freeipa/freeipa
4.1.0
freeipa/freeipa
4.1.1
freeipa/freeipa
4.1.2
freeipa/freeipa
4.1.3
... and 21 more
Published
Sep 28, 2017
Tracked Since
Feb 18, 2026