NVD Vulnerability Detail

CVE-2019-8978

Summary	An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.
Publication Date	May 15, 2019, 4:29 a.m.
Registration Date	Jan. 26, 2021, 11:45 a.m.
Last Update	Nov. 21, 2024, 1:50 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ellucian:banner_web_tailor:8.8.3:::::::*
cpe:2.3:a:ellucian:banner_web_tailor:8.8.4:::::::*
cpe:2.3:a:ellucian:banner_web_tailor:8.9:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3.1:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3.2:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.4:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-Enterprise-Identity-Services-Improper-Authentication.html	Third Party Advisory VDB Entry
2	http://seclists.org/fulldisclosure/2019/May/18	Mailing List Third Party Advisory
3	https://ecommunities.ellucian.com/message/252749#252749	Permissions Required
4	https://ecommunities.ellucian.com/message/252810#252810	Permissions Required
5	https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt	Third Party Advisory
6	https://seclists.org/bugtraq/2019/May/31	Mailing List Third Party Advisory
7	http://packetstormsecurity.com/files/152856/Ellucian-Banner-Web-Tailor-Banner-Enterprise-Identity-Services-Improper-Authentication.html	Third Party Advisory VDB Entry
8	https://seclists.org/bugtraq/2019/May/31	Mailing List Third Party Advisory
9	https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt	Third Party Advisory
10	https://ecommunities.ellucian.com/message/252810#252810	Permissions Required
11	https://ecommunities.ellucian.com/message/252749#252749	Permissions Required
12	http://seclists.org/fulldisclosure/2019/May/18	Mailing List Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-287	不適切な認証	https://cwe.mitre.org/data/definitions/287.html
2	CWE-362	競合状態	https://cwe.mitre.org/data/definitions/362.html

JVN Vulnerability Information

Ellucian Banner Web Tailor および Banner Enterprise Identity Services における競合状態に関する脆弱性

Title	Ellucian Banner Web Tailor および Banner Enterprise Identity Services における競合状態に関する脆弱性
Summary	Ellucian Banner Web Tailor および Banner Enterprise Identity Services には、競合状態に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	May 13, 2019, midnight
Registration Date	June 4, 2019, 6:06 p.m.
Last Update	June 4, 2019, 6:06 p.m.

Affected System

Ellucian

Banner Enterprise Identity Services 8.3

Banner Enterprise Identity Services 8.3.1

Banner Enterprise Identity Services 8.3.2

Banner Enterprise Identity Services 8.4

Banner Web Tailor 8.8.3

Banner Web Tailor 8.8.4

Banner Web Tailor 8.9

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-8978	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8978
National Vulnerability Database (NVD)
2	CVE-2019-8978	https://nvd.nist.gov/vuln/detail/CVE-2019-8978

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-362	https://jvndb.jvn.jp/ja/cwe/CWE-362.html

ベンダー情報

No	Name	URL
Ellucian
1	Ellucian Banner	https://www.ellucian.com/solutions/ellucian-banner

その他

No	Name	URL
関連文書
1	[CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services	https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt

Change Log

No	Changed Details	Date of change
1	[2019年06月04日] 掲載	June 4, 2019, 6:06 p.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ellucian:banner_web_tailor:8.8.3:::::::*
cpe:2.3:a:ellucian:banner_web_tailor:8.8.4:::::::*
cpe:2.3:a:ellucian:banner_web_tailor:8.9:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3.1:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.3.2:::::::*
cpe:2.3:a:ellucian:banner_enterprise_identity_services:8.4:::::::*