CVE-2024-10318

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Nov 6, 2024

CWE ID 384

Summary

CVE-2024-10318 is a session fixation vulnerability affecting the NGINX OpenID Connect reference implementation. The issue arises from a failure to check a nonce at login time, allowing an attacker to manipulate a victim's session. Although the attacker cannot directly log in as the victim, they can force the session to be associated with an attacker-controlled account, potentially leading to misuse of the victim's session and associated privileges. This vulnerability could result in unauthorized access to protected resources or other security consequences. Users are advised to update their NGINX OpenID Connect implementation as soon as a patch becomes available to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database