Vulnerability Details : CVE-2016-8638
A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
Products affected by CVE-2016-8638
- cpe:2.3:a:ipsilon_project:ipsilon:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ipsilon_project:ipsilon:1.1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-8638
0.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8638
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2016-8638
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8638
-
http://rhn.redhat.com/errata/RHSA-2016-2809.html
RHSA-2016:2809 - Security Advisory - Red Hat Customer Portal
-
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c
Commit - ipsilon - 511fa8b7001c2f9a42301aa1d4b85aaf170a461c - Pagure.ioPatch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638
1392829 – (CVE-2016-8638) CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessionsIssue Tracking;Third Party Advisory
-
https://ipsilon-project.org/advisory/CVE-2016-8638.txt
Vendor Advisory
-
https://ipsilon-project.org/release/2.1.0.html
Ipsilon
-
http://www.securityfocus.com/bid/94439
Ipsilon CVE-2016-8638 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
Jump to