CVE-2018-1127

Impact:
Low
Public Date:
2018-05-08
CWE:
CWE-613
Bugzilla:
1575835: CVE-2018-1127 tendrl-api: Improper cleanup of session token can allow attackers to hijack user sessions

The MITRE CVE dictionary describes this issue as:

Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.

Find out more about CVE-2018-1127 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 4.2
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Gluster Storage 3.4 for RHEL 7 (tendrl-api) RHSA-2018:2616 2018-09-05
Red Hat Gluster Storage 3.4 for RHEL 7 RHSA-2018:2616 2018-09-05

Acknowledgements

This issue was discovered by Filip Balák (Red Hat).
Last Modified

CVE description copyright © 2017, The MITRE Corporation