Vulnerability Details CVE-2018-1127
Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.8%
CVSS Severity
CVSS v3 Score 4.2
CVSS v2 Score 6.8
References
- http://www.securitytracker.com/id/1041597
- https://access.redhat.com/errata/RHSA-2018:2616
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127
- https://github.com/Tendrl/api/pull/422
- http://www.securitytracker.com/id/1041597
- https://access.redhat.com/errata/RHSA-2018:2616
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1127
- https://github.com/Tendrl/api/pull/422
Products affected by CVE-2018-1127
-
cpe:2.3:a:redhat:gluster_storage:2.0
-
cpe:2.3:a:redhat:gluster_storage:2.1
-
cpe:2.3:a:redhat:gluster_storage:3.0
-
cpe:2.3:a:redhat:gluster_storage:3.0.0
-
cpe:2.3:a:redhat:gluster_storage:3.1
-
cpe:2.3:a:redhat:gluster_storage:3.2
-
cpe:2.3:a:redhat:gluster_storage:3.3