{"id":"CVE-2024-10318","details":"A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session.","modified":"2026-04-10T05:08:31.097382Z","published":"2024-11-06T17:15:13.680Z","references":[{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000148232"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginxinc/kubernetes-ingress","events":[{"introduced":"0"},{"last_affected":"bc770081fd677274c7cdca57140fd06112e9a8ab"},{"introduced":"9d1331a520f82918db5d8018dd926aaf557c4a93"},{"last_affected":"4252538e0d02dfd42cd3b35884cd5b50147814b7"},{"introduced":"868bb7771adf2bfebcc1d42b96a26e13123cdca7"},{"fixed":"cc54bee9b88db2d8c3c8f75f662c8af3b7f549ae"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.12.5"},{"introduced":"2.2.1"},{"last_affected":"2.4.2"},{"introduced":"3.0.0"},{"fixed":"3.7.1"}]}}],"versions":["v0.3","v0.4.0","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.8.1","v0.9.0","v1.0.0","v1.0.0-beta0","v1.1.0","v1.1.1","v1.12.0","v1.12.1","v1.12.2","v1.12.3","v1.12.4","v1.12.5","v1.2.0","v1.3.0","v1.9.0-nsmready","v2.2.0","v2.4.0","v2.4.1","v2.4.2","v3.2.0","v3.3.0","v3.7.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10318.json","unresolved_ranges":[{"events":[{"introduced":"1.3.0"},{"fixed":"1.9.3"}]},{"events":[{"introduced":"2.5.0"},{"fixed":"2.17.4"}]},{"events":[{"introduced":"0"},{"fixed":"2024-10-24"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}]}