{"id":"GHSA-376m-3rm2-9jm6","summary":"Session Fixation in ipsilon","details":"A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users.  This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a \"SAML2 multi-session vulnerability.\"","aliases":["CVE-2016-8638"],"modified":"2024-02-16T08:19:08.568086Z","published":"2022-05-14T03:55:23Z","database_specific":{"github_reviewed_at":"2023-02-14T00:46:20Z","severity":"CRITICAL","nvd_published_at":"2017-07-12T13:29:00Z","cwe_ids":["CWE-384"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-8638"},{"type":"WEB","url":"https://github.com/ipsilon-project/ipsilon/commit/1c48414877fc110652b6078a29529972c7ec9122"},{"type":"WEB","url":"https://github.com/ipsilon-project/ipsilon/commit/64fc366c054fc6af1d9d2692902db169884b5f78"},{"type":"WEB","url":"https://github.com/ipsilon-project/ipsilon/commit/a33303b6beb5c316d7c18b23566b7666a4e307a4"},{"type":"WEB","url":"https://github.com/ipsilon-project/ipsilon/commit/b4744a92d4fa7f6d7ade0ae2d99a2dc0ea94734d"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2016:2809"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2016-8638"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1392829"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638"},{"type":"PACKAGE","url":"https://github.com/ipsilon-project/ipsilon"},{"type":"WEB","url":"https://ipsilon-project.org/advisory/CVE-2016-8638.txt"},{"type":"WEB","url":"https://ipsilon-project.org/release/2.1.0.html"},{"type":"WEB","url":"https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2016-2809.html"},{"type":"WEB","url":"http://www.securityfocus.com/bid/94439"}],"affected":[{"package":{"name":"ipsilon","ecosystem":"PyPI","purl":"pkg:pypi/ipsilon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.0.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-376m-3rm2-9jm6/GHSA-376m-3rm2-9jm6.json"}},{"package":{"name":"ipsilon","ecosystem":"PyPI","purl":"pkg:pypi/ipsilon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.2.0"},{"fixed":"1.2.1"}]}],"versions":["1.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-376m-3rm2-9jm6/GHSA-376m-3rm2-9jm6.json"}},{"package":{"name":"ipsilon","ecosystem":"PyPI","purl":"pkg:pypi/ipsilon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.1.0"},{"fixed":"1.1.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-376m-3rm2-9jm6/GHSA-376m-3rm2-9jm6.json"}},{"package":{"name":"ipsilon","ecosystem":"PyPI","purl":"pkg:pypi/ipsilon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.0.0"},{"fixed":"1.0.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-376m-3rm2-9jm6/GHSA-376m-3rm2-9jm6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}