CVE-2024-10318

MEDIUM

NGINX OpenID Connect - Session Fixation

Title source: llm

Description

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

References (1)

[Mitigation, Vendor Advisory] https://my.f5.com/manage/s/article/K000148232

Scores

CVSS v3 5.4

EPSS 0.0106

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-384

Status published

Products (4)

f5/nginx_api_connectivity_manager 1.3.0 - 1.9.3

f5/nginx_ingress_controller < 1.12.5

f5/nginx_instance_manager 2.5.0 - 2.17.4

f5/nginx_openid_connect < 2024-10-24

Published Nov 06, 2024

Tracked Since Feb 18, 2026