A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
References
Link | Resource |
---|---|
http://rhn.redhat.com/errata/RHSA-2016-2809.html | |
http://www.securityfocus.com/bid/94439 | Third Party Advisory VDB Entry |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638 | Issue Tracking Third Party Advisory |
https://ipsilon-project.org/advisory/CVE-2016-8638.txt | Vendor Advisory |
https://ipsilon-project.org/release/2.1.0.html | |
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 02:36
Type | Values Removed | Values Added |
---|---|---|
Summary | A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." |
12 Feb 2023, 23:26
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." |
02 Feb 2023, 16:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. |
Information
Published : 2017-07-12 13:29
Updated : 2023-12-10 12:15
NVD link : CVE-2016-8638
Mitre link : CVE-2016-8638
CVE.ORG link : CVE-2016-8638
JSON object : View
Products Affected
ipsilon_project
- ipsilon
CWE
CWE-384
Session Fixation