{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "1.3.0" }, { "fixed": "1.9.3" } ] }, { "events": [ { "introduced": "2.5.0" }, { "fixed": "2.17.4" } ] }, { "events": [ { "introduced": "0" }, { "fixed": "2024-10-24" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.12.5" }, { "introduced": "2.2.1" }, { "last_affected": "2.4.2" }, { "introduced": "3.0.0" }, { "fixed": "3.7.1" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "bc770081fd677274c7cdca57140fd06112e9a8ab" }, { "introduced": "9d1331a520f82918db5d8018dd926aaf557c4a93" }, { "last_affected": "4252538e0d02dfd42cd3b35884cd5b50147814b7" }, { "introduced": "868bb7771adf2bfebcc1d42b96a26e13123cdca7" }, { "fixed": "cc54bee9b88db2d8c3c8f75f662c8af3b7f549ae" } ], "repo": "https://github.com/nginxinc/kubernetes-ingress", "type": "GIT" } ] } ], "details": "A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.", "id": "CVE-2024-10318", "modified": "2026-03-10T21:50:12.399382823Z", "published": "2024-11-06T17:15:13.680Z", "references": [ { "type": "ADVISORY", "url": "https://my.f5.com/manage/s/article/K000148232" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "type": "CVSS_V3" } ] }