CVE-2016-8638

CVSS V2 Medium 6.4 CVSS V3 Critical 9.1
Description
A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
Overview
  • CVE ID
  • CVE-2016-8638
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2017-07-12T13:29:00
  • Last Modified Date
  • 2023-02-12T23:26:16
Weakness Enumerations
CWE URL
CWE-384 http://cwe.mitre.org/data/definitions/384.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:ipsilon_project:ipsilon:1.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:1.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:1.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:1.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:1.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:1.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:2.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:ipsilon_project:ipsilon:2.0.1:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:N/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • PARTIAL
  • Base Score
  • 6.4
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 4.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.1
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.9
  • Impact Score
  • 5.2
References
Reference URL Reference Tags
http://rhn.redhat.com/errata/RHSA-2016-2809.html
http://www.securityfocus.com/bid/94439 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2016:2809
https://access.redhat.com/security/cve/CVE-2016-8638
https://bugzilla.redhat.com/show_bug.cgi?id=1392829
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638 Issue Tracking Third Party Advisory
https://ipsilon-project.org/advisory/CVE-2016-8638.txt Vendor Advisory
https://ipsilon-project.org/release/2.1.0.html
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c Patch Vendor Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2016-8638
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8638
History
Created Old Value New Value Data Type Notes
2022-05-10 18:51:53 Added to TrackCVE
2022-12-02 18:36:28 2017-07-12T13:29Z 2017-07-12T13:29:00 CVE Published Date updated
2022-12-02 18:36:28 2018-01-05T02:31:18 CVE Modified Date updated
2022-12-02 18:36:28 Modified Vulnerability Status updated
2023-02-02 17:06:26 2023-02-02T16:17:42 CVE Modified Date updated
2023-02-02 17:06:27 A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. Description updated
2023-02-02 17:06:30 References updated
2023-02-13 01:07:05 2023-02-12T23:26:16 CVE Modified Date updated
2023-02-13 01:07:05 A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." Description updated