CVE-2016-8638

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users.  This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
ipsilon_projectipsilon
1.0.0
ipsilon_projectipsilon
1.0.1
ipsilon_projectipsilon
1.0.2
ipsilon_projectipsilon
1.1.0
ipsilon_projectipsilon
1.1.1
ipsilon_projectipsilon
1.2.0
ipsilon_projectipsilon
2.0.0
ipsilon_projectipsilon
2.0.1
𝑥
= Vulnerable software versions
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
ipsilon
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-authform
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-authgssapi
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-authldap
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-base
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-client
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-filesystem
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-infosssd
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-persona
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-saml2
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-saml2-base
RHEL 7
0:1.0.0-13.el7_3
fixed
ipsilon-tools-ipa
RHEL 7
0:1.0.0-13.el7_3
fixed
Common Weakness Enumeration
References
http://rhn.redhat.com/errata/RHSA-2016-2809.html
http://www.securityfocus.com/bid/94439
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638
https://ipsilon-project.org/advisory/CVE-2016-8638.txt
https://ipsilon-project.org/release/2.1.0.html
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c
http://rhn.redhat.com/errata/RHSA-2016-2809.html
http://www.securityfocus.com/bid/94439
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8638
https://ipsilon-project.org/advisory/CVE-2016-8638.txt
https://ipsilon-project.org/release/2.1.0.html
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c