CVE-2024-10318— NGINX OpenID Connect Vulnerability

CVSS 5.4 · Medium EPSS 1.06% · P78 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-10318

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

NGINX OpenID Connect Vulnerability

Source: NVD (National Vulnerability Database)

Vulnerability Description

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

会话固定

Source: NVD (National Vulnerability Database)

Vulnerability Title

F5 Nginx 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

F5 Nginx是美国F5公司的一款轻量级Web服务器/反向代理服务器及电子邮件（IMAP/POP3）代理服务器，在BSD-like协议下发行。 F5 Nginx存在安全漏洞，该漏洞源于登录时未检查随机数。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE
F5	NGINX OpenID Connect	fa1ad160e2637d1d583611124478039170d726ab ~ 133504f4fd9f72f3e36668f9f2f3d32a86fcb269	-
F5	NGINX Instance Manager	2.5.0 ~ 2.17.4	-
F5	NGINX API Connectivity Manager	1.0.0 ~ 1.9.3	-
F5	NGINX Ingress Controller	1.0.0 ~ 3.7.1	-

II. Public POCs for CVE-2024-10318

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-10318

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same vendor: F5

Same weakness: CWE-384

V. Comments for CVE-2024-10318

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-10318— NGINX OpenID Connect Vulnerability

I. Basic Information for CVE-2024-10318

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-10318

III. Intelligence Information for CVE-2024-10318

IV. Related Vulnerabilities

V. Comments for CVE-2024-10318

Leave a comment