CVE-2024-10318: 
NGINX Ingress Controller (NGINX Inc) vulnerability analysis and mitigation

A session fixation vulnerability (CVE-2024-10318) was discovered in the NGINX OpenID Connect reference implementation. The vulnerability was disclosed on November 6, 2024, and affects multiple NGINX products including NGINX API Connectivity Manager, NGINX Ingress Controller, NGINX Instance Manager, and NGINX OpenID Connect reference implementation (NVD).

The vulnerability stems from a failure to check the nonce parameter at login time in the NGINX OpenID Connect reference implementation. The severity of this vulnerability has been assessed with a CVSS v4.0 base score of 5.1 (Medium) and CVSS v3.1 base score of 5.4 (Medium). The vulnerability is classified as CWE-384 (Session Fixation) (NVD).

When exploited, this vulnerability allows an attacker to fix a victim's session to an attacker-controlled account. While the attacker cannot directly log in as the victim, they can force the session to associate with their controlled account, potentially leading to misuse of the victim's session (NVD).

F5 Networks has released security updates to address this vulnerability. The fix is available in versions after NGINX OpenID Connect 2024-10-24, NGINX API Connectivity Manager 1.9.3, NGINX Ingress Controller 3.7.1, and NGINX Instance Manager 2.17.4 (NVD).