CVE-2019-8978 Information

Description

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3 8.8.4 and 8.9 and Banner Enterprise Identity Services 8.3 8.3.1 8.3.2 and 8.4 in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim’s session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim’s UDCID which in the case tested is the institutional ID. During a login attempt by a victim the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-Enterprise-Identity-Services-Improper-Authentication.html http://seclists.org/fulldisclosure/2019/May/18 https://ecommunities.ellucian.com/message/252749252749 https://ecommunities.ellucian.com/message/252810252810 https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt https://seclists.org/bugtraq/2019/May/31

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1