CVE-2016-8638 — Session Fixation in ipsilon

Description

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."

How to fix CVE-2016-8638

To remediate CVE-2016-8638, upgrade the affected package to a fixed version below.

—upgrade to 2.0.2 or later

Is CVE-2016-8638 being exploited?

Moderate — EPSS is 7.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.0.0, < 2.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-8638
PATCHgithub.com/ipsilon-project/ipsilon
WEBrhn.redhat.com/errata/RHSA-2016-2809.html
WEBaccess.redhat.com/errata/RHSA-2016:2809
WEBaccess.redhat.com