A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victims session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victims session.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nginx_api_connectivity_manager | F5 | 1.3.0 (including) | 1.9.3 (excluding) |
| Nginx_ingress_controller | F5 | * | 1.12.5 (including) |
| Nginx_ingress_controller | F5 | 2.2.1 (including) | 2.4.2 (including) |
| Nginx_ingress_controller | F5 | 3.0.0 (including) | 3.7.1 (excluding) |
| Nginx_instance_manager | F5 | 2.5.0 (including) | 2.17.4 (excluding) |
Such a scenario is commonly observed when: