Vulnerability Details : CVE-2019-8978
Potential exploit
An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.
Vulnerability category: BypassGain privilegeDenial of service
Products affected by CVE-2019-8978
- cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3:*:*:*:*:*:*:*
- cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ellucian:banner_web_tailor:8.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:ellucian:banner_web_tailor:8.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:ellucian:banner_web_tailor:8.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-8978
26.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-8978
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2019-8978
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-8978
-
https://seclists.org/bugtraq/2019/May/31
Bugtraq: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity ServicesMailing List;Third Party Advisory
-
https://ecommunities.ellucian.com/message/252810#252810
Sign InPermissions Required
-
http://seclists.org/fulldisclosure/2019/May/18
Full Disclosure: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity ServicesMailing List;Third Party Advisory
-
https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt
Third Party Advisory
-
https://ecommunities.ellucian.com/message/252749#252749
Ellucian - Signing in...Permissions Required
-
http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-Enterprise-Identity-Services-Improper-Authentication.html
Ellucian Banner Web Tailor / Banner Enterprise Identity Services Improper Authentication ≈ Packet StormThird Party Advisory;VDB Entry
Jump to