cvelistv5 - cve-2016-8638

CVE-2016-8638 (GCVE-0-2016-8638)

Vulnerability from cvelistv5 – Published: 2017-07-12 13:00 – Updated: 2024-08-06 02:27

Summary

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GHSA-376M-3RM2-9JM6

Vulnerability from github – Published: 2022-05-14 03:55 – Updated: 2023-02-14 00:46

Summary

Session Fixation in ipsilon

Details

Severity ?

9.1 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ipsilon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ipsilon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ipsilon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ipsilon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-8638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-14T00:46:20Z",
    "nvd_published_at": "2017-07-12T13:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users.  This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\"",
  "id": "GHSA-376m-3rm2-9jm6",
  "modified": "2023-02-14T00:46:20Z",
  "published": "2022-05-14T03:55:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipsilon-project/ipsilon/commit/1c48414877fc110652b6078a29529972c7ec9122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipsilon-project/ipsilon/commit/64fc366c054fc6af1d9d2692902db169884b5f78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipsilon-project/ipsilon/commit/a33303b6beb5c316d7c18b23566b7666a4e307a4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipsilon-project/ipsilon/commit/b4744a92d4fa7f6d7ade0ae2d99a2dc0ea94734d"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:2809"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-8638"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1392829"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ipsilon-project/ipsilon"
    },
    {
      "type": "WEB",
      "url": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt"
    },
    {
      "type": "WEB",
      "url": "https://ipsilon-project.org/release/2.1.0.html"
    },
    {
      "type": "WEB",
      "url": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2809.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94439"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Session Fixation in ipsilon"
}

RHSA-2016:2809

Vulnerability from csaf_redhat - Published: 2016-11-21 11:22 - Updated: 2025-11-21 17:58

Summary

Red Hat Security Advisory: ipsilon security update

Notes

Topic

An update for ipsilon is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers. Security Fix(es): * A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. (CVE-2016-8638) This issue was discovered by Patrick Uiterwijk (Red Hat) and Howard Johnson.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for ipsilon is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers.\n\nSecurity Fix(es):\n\n* A vulnerability was found in ipsilon in the SAML2 provider\u0027s handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. (CVE-2016-8638)\n\nThis issue was discovered by Patrick Uiterwijk (Red Hat) and Howard Johnson.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:2809",
        "url": "https://access.redhat.com/errata/RHSA-2016:2809"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1392829",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1392829"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2809.json"
      }
    ],
    "title": "Red Hat Security Advisory: ipsilon security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:58:42+00:00",
      "generator": {
        "date": "2025-11-21T17:58:42+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2016:2809",
      "initial_release_date": "2016-11-21T11:22:07+00:00",
      "revision_history": [
        {
          "date": "2016-11-21T11:22:07+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-11-21T11:22:07+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:58:42+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server (v. 7)",
                  "product_id": "7Server-7.3.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-persona@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-filesystem@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-tools-ipa@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-infosssd@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-saml2@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-base@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-authldap@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-authgssapi@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-saml2-base@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-client@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-authform@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ipsilon-0:1.0.0-13.el7_3.src",
                "product": {
                  "name": "ipsilon-0:1.0.0-13.el7_3.src",
                  "product_id": "ipsilon-0:1.0.0-13.el7_3.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon@1.0.0-13.el7_3?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-0:1.0.0-13.el7_3.src as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src"
        },
        "product_reference": "ipsilon-0:1.0.0-13.el7_3.src",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-authform-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-base-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-client-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-persona-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Howard Johnson"
          ]
        },
        {
          "names": [
            "Patrick Uiterwijk"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2016-8638",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2016-11-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1392829"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in ipsilon in the SAML2 provider\u0027s handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ipsilon: DoS via logging out all open SAML2 sessions",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src",
          "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-8638"
        },
        {
          "category": "external",
          "summary": "RHBZ#1392829",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1392829"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-8638",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-8638"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8638",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8638"
        }
      ],
      "release_date": "2016-11-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-11-21T11:22:07+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src",
            "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2809"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src",
            "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ipsilon: DoS via logging out all open SAML2 sessions"
    }
  ]
}

RHSA-2016_2809

Vulnerability from csaf_redhat - Published: 2016-11-21 11:22 - Updated: 2024-11-22 10:31

Summary

Red Hat Security Advisory: ipsilon security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for ipsilon is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers.\n\nSecurity Fix(es):\n\n* A vulnerability was found in ipsilon in the SAML2 provider\u0027s handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. (CVE-2016-8638)\n\nThis issue was discovered by Patrick Uiterwijk (Red Hat) and Howard Johnson.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:2809",
        "url": "https://access.redhat.com/errata/RHSA-2016:2809"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1392829",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1392829"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2809.json"
      }
    ],
    "title": "Red Hat Security Advisory: ipsilon security update",
    "tracking": {
      "current_release_date": "2024-11-22T10:31:35+00:00",
      "generator": {
        "date": "2024-11-22T10:31:35+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2016:2809",
      "initial_release_date": "2016-11-21T11:22:07+00:00",
      "revision_history": [
        {
          "date": "2016-11-21T11:22:07+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-11-21T11:22:07+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T10:31:35+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server (v. 7)",
                  "product_id": "7Server-7.3.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-persona@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-filesystem@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-tools-ipa@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-infosssd@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-saml2@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-base@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-authldap@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-authgssapi@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-saml2-base@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-client@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
                "product": {
                  "name": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
                  "product_id": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon-authform@1.0.0-13.el7_3?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ipsilon-0:1.0.0-13.el7_3.src",
                "product": {
                  "name": "ipsilon-0:1.0.0-13.el7_3.src",
                  "product_id": "ipsilon-0:1.0.0-13.el7_3.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ipsilon@1.0.0-13.el7_3?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-0:1.0.0-13.el7_3.src as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src"
        },
        "product_reference": "ipsilon-0:1.0.0-13.el7_3.src",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-authform-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-authform-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-base-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-base-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-client-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-client-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-persona-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-persona-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
          "product_id": "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
        },
        "product_reference": "ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch",
        "relates_to_product_reference": "7Server-7.3.Z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Howard Johnson"
          ]
        },
        {
          "names": [
            "Patrick Uiterwijk"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2016-8638",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2016-11-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1392829"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in ipsilon in the SAML2 provider\u0027s handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ipsilon: DoS via logging out all open SAML2 sessions",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src",
          "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
          "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-8638"
        },
        {
          "category": "external",
          "summary": "RHBZ#1392829",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1392829"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-8638",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-8638"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8638",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8638"
        }
      ],
      "release_date": "2016-11-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-11-21T11:22:07+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src",
            "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2809"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-0:1.0.0-13.el7_3.src",
            "7Server-7.3.Z:ipsilon-authform-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authgssapi-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-authldap-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-client-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-filesystem-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-infosssd-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-persona-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-saml2-base-0:1.0.0-13.el7_3.noarch",
            "7Server-7.3.Z:ipsilon-tools-ipa-0:1.0.0-13.el7_3.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ipsilon: DoS via logging out all open SAML2 sessions"
    }
  ]
}

GSD-2016-8638

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-8638

Aliases

CVE-2016-8638

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-8638",
    "description": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users.  This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\"",
    "id": "GSD-2016-8638",
    "references": [
      "https://access.redhat.com/errata/RHSA-2016:2809",
      "https://linux.oracle.com/cve/CVE-2016-8638.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-8638"
      ],
      "details": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\"",
      "id": "GSD-2016-8638",
      "modified": "2023-12-13T01:21:22.758629Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2016-8638",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2016-2809.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2809.html"
          },
          {
            "name": "http://www.securityfocus.com/bid/94439",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/94439"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638"
          },
          {
            "name": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt",
            "refsource": "MISC",
            "url": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt"
          },
          {
            "name": "https://ipsilon-project.org/release/2.1.0.html",
            "refsource": "MISC",
            "url": "https://ipsilon-project.org/release/2.1.0.html"
          },
          {
            "name": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c",
            "refsource": "MISC",
            "url": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.0.0,\u003c1.0.3||\u003e=1.1.0,\u003c1.1.2||\u003e=1.2.0,\u003c1.2.1||\u003e=2.0.0,\u003c2.0.2",
          "affected_versions": "All versions starting from 1.0.0 before 1.0.3, all versions starting from 1.1.0 before 1.1.2, all versions starting from 1.2.0 before 1.2.1, all versions starting from 2.0.0 before 2.0.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2023-02-14",
          "description": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\"",
          "fixed_versions": [
            "1.2.1",
            "2.0.2",
            "1.0.3",
            "1.1.2"
          ],
          "identifier": "CVE-2016-8638",
          "identifiers": [
            "GHSA-376m-3rm2-9jm6",
            "CVE-2016-8638"
          ],
          "not_impacted": "All versions before 1.0.0, all versions starting from 1.0.3 before 1.1.0, all versions starting from 1.1.2 before 1.2.0, all versions starting from 1.2.1 before 2.0.0, all versions starting from 2.0.2",
          "package_slug": "pypi/ipsilon",
          "pubdate": "2022-05-14",
          "solution": "Upgrade to versions 1.2.1, 2.0.2, 1.0.3, 1.1.2 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2016-8638",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638",
            "https://ipsilon-project.org/advisory/CVE-2016-8638.txt",
            "https://ipsilon-project.org/release/2.1.0.html",
            "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c",
            "http://rhn.redhat.com/errata/RHSA-2016-2809.html",
            "http://www.securityfocus.com/bid/94439",
            "https://access.redhat.com/errata/RHSA-2016:2809",
            "https://access.redhat.com/security/cve/CVE-2016-8638",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1392829",
            "https://github.com/advisories/GHSA-376m-3rm2-9jm6"
          ],
          "uuid": "e934739f-4cc2-49ec-b94e-34539c3562b3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:1.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:2.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:1.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:1.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:1.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:1.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ipsilon_project:ipsilon:1.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-8638"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-384"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c"
            },
            {
              "name": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638"
            },
            {
              "name": "94439",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/94439"
            },
            {
              "name": "https://ipsilon-project.org/release/2.1.0.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://ipsilon-project.org/release/2.1.0.html"
            },
            {
              "name": "RHSA-2016:2809",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-2809.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-02-12T23:26Z",
      "publishedDate": "2017-07-12T13:29Z"
    }
  }
}

FKIE_CVE-2016-8638

Vulnerability from fkie_nvd - Published: 2017-07-12 13:29 - Updated: 2025-04-20 01:37

Severity ?

9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2016-2809.html
secalert@redhat.com	http://www.securityfocus.com/bid/94439	Third Party Advisory, VDB Entry
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638	Issue Tracking, Third Party Advisory
secalert@redhat.com	https://ipsilon-project.org/advisory/CVE-2016-8638.txt	Vendor Advisory
secalert@redhat.com	https://ipsilon-project.org/release/2.1.0.html
secalert@redhat.com	https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-2809.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/94439	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://ipsilon-project.org/advisory/CVE-2016-8638.txt	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://ipsilon-project.org/release/2.1.0.html
af854a3a-2127-422b-91ae-364da2661108	https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
ipsilon_project	ipsilon	1.0.0
ipsilon_project	ipsilon	1.0.1
ipsilon_project	ipsilon	1.0.2
ipsilon_project	ipsilon	1.1.0
ipsilon_project	ipsilon	1.1.1
ipsilon_project	ipsilon	1.2.0
ipsilon_project	ipsilon	2.0.0
ipsilon_project	ipsilon	2.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFB7EFFE-E740-4BB8-80ED-673CB09613BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5B73BD1-6E0B-4BD3-9F86-84F8BAC2B7A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A12BB361-31E3-4891-8A51-09B68FDD1DF8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:1.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E4313C8A-E084-49F1-A5D7-952E2A99F2AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:1.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "358E95D3-46E3-4D29-AE26-D7FDC3D1DDD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:1.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D97F85E-BFA2-45C9-BE1F-54D378EBF181",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB8B7C4A-2080-4EC5-B7AB-DBFF8F991C4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ipsilon_project:ipsilon:2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C439FC81-92F0-438C-9AB5-9120141B9574",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users.  This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\""
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en ipsilon 2.0 en versiones anteriores a la 2.0.2, 1.2 anteriores a la 1.2.1, 1.1 anteriores a la 1.1.2 y 1.0 anteriores a la 1.0.3 que permite al atacante cerrar las sesiones activas de otros usuarios.  Este problema est\u00e1 relacionado con la forma en la que se rastrean las sesiones y permite que un atacante no autenticado visualice y finalice las sesiones activas de otros usuarios. Esta vulnerabilidad tambi\u00e9n se conoce como \"SAML2 multi-session vulnerability\"."
    }
  ],
  "id": "CVE-2016-8638",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-07-12T13:29:00.190",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2809.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/94439"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://ipsilon-project.org/release/2.1.0.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2809.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/94439"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://ipsilon-project.org/advisory/CVE-2016-8638.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://ipsilon-project.org/release/2.1.0.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2016-11649

Vulnerability from cnvd - Published: 2016-11-30

Title

Ipsilon拒绝服务漏洞

Description

Ipsilon是一个用于配置基于Apache的服务供应商的服务器和工具包，它可以向Web应用提供联邦认证（SSO）的可拔插的独立mod_wsgi应用。 Ipsilon存在拒绝服务漏洞，攻击者可利用该漏洞导致拒绝服务。

Severity

高

Patch Name

Ipsilon拒绝服务漏洞的补丁

Patch Description

Ipsilon是一个用于配置基于Apache的服务供应商的服务器和工具包，它可以向Web应用提供联邦认证（SSO）的可拔插的独立mod_wsgi应用。 Ipsilon存在拒绝服务漏洞，攻击者可利用该漏洞导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c

Reference

http://www.securityfocus.com/bid/94439 http://seclists.org/oss-sec/2016/q4/477

Impacted products

Name
['Ipsilon Ipsilon 2.0<2.0.2', 'Ipsilon Ipsilon 1.2<1.2.1', 'Ipsilon Ipsilon 1.1<1.1.2', 'Ipsilon Ipsilon 1.0<1.0.3']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94439"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-8638"
    }
  },
  "description": "Ipsilon\u662f\u4e00\u4e2a\u7528\u4e8e\u914d\u7f6e\u57fa\u4e8eApache\u7684\u670d\u52a1\u4f9b\u5e94\u5546\u7684\u670d\u52a1\u5668\u548c\u5de5\u5177\u5305\uff0c\u5b83\u53ef\u4ee5\u5411Web\u5e94\u7528\u63d0\u4f9b\u8054\u90a6\u8ba4\u8bc1\uff08SSO\uff09\u7684\u53ef\u62d4\u63d2\u7684\u72ec\u7acbmod_wsgi\u5e94\u7528\u3002 \r\n\r\nIpsilon\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Patrick Uiterwijk (Red Hat) and Howard Johnson",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-11649",
  "openTime": "2016-11-30",
  "patchDescription": "Ipsilon\u662f\u4e00\u4e2a\u7528\u4e8e\u914d\u7f6e\u57fa\u4e8eApache\u7684\u670d\u52a1\u4f9b\u5e94\u5546\u7684\u670d\u52a1\u5668\u548c\u5de5\u5177\u5305\uff0c\u5b83\u53ef\u4ee5\u5411Web\u5e94\u7528\u63d0\u4f9b\u8054\u90a6\u8ba4\u8bc1\uff08SSO\uff09\u7684\u53ef\u62d4\u63d2\u7684\u72ec\u7acbmod_wsgi\u5e94\u7528\u3002 \r\n\r\nIpsilon\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ipsilon\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Ipsilon Ipsilon 2.0\u003c2.0.2",
      "Ipsilon Ipsilon 1.2\u003c1.2.1",
      "Ipsilon Ipsilon 1.1\u003c1.1.2",
      "Ipsilon Ipsilon 1.0\u003c1.0.3"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/94439\r\nhttp://seclists.org/oss-sec/2016/q4/477",
  "serverity": "\u9ad8",
  "submitTime": "2016-11-24",
  "title": "Ipsilon\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-8638 (GCVE-0-2016-8638)

GHSA-376M-3RM2-9JM6

RHSA-2016:2809

RHSA-2016_2809

GSD-2016-8638

FKIE_CVE-2016-8638

CNVD-2016-11649

Tags

Sightings

Nomenclature