A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| f5 | nginx_api_connectivity_manager | 1.3.0 - 1.9.3 | - |
| f5 | nginx_ingress_controller | 1.12.5 | - |
| f5 | nginx_ingress_controller |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6
Affected Products
1
References
f5 / nginx_api_connectivity_manager
| 2.2.1 - 2.4.2 |
| - |
| f5 | nginx_ingress_controller | 3.0.0 - 3.7.1 | - |
| f5 | nginx_instance_manager | 2.5.0 - 2.17.4 | - |
| f5 | nginx_openid_connect | 2024-10-24 | - |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Exploitability
Impact