CVE-2019-8978

HIGH EXPLOITED

Ellucian Banner Enterprise Identity Services - Race Condition

Title source: rule

Description

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

Exploits (2)

nomisec WORKING POC 9 stars
by SecKatie · poc
https://github.com/SecKatie/CVE-2019-8978
inthewild WORKING POC
poc
https://github.com/joshuamulliken/cve-2019-8978

References (6)

Scores

CVSS v3 8.1
EPSS 0.1177
EPSS Percentile 93.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-07-19
CWE
CWE-287 CWE-362
Status published
Products (7)
ellucian/banner_enterprise_identity_services 8.3
ellucian/banner_enterprise_identity_services 8.3.1
ellucian/banner_enterprise_identity_services 8.3.2
ellucian/banner_enterprise_identity_services 8.4
ellucian/banner_web_tailor 8.8.3
ellucian/banner_web_tailor 8.8.4
ellucian/banner_web_tailor 8.9
Published May 14, 2019
Tracked Since Feb 18, 2026