A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions.
A vulnerability in ipsilon was found that allows attacker to log out active
sessions of other users. This issue is related to how it tracks sessions, and
allows an unauthenticated attacker to view and terminate active sessions from
All versions of Ipsilon 2.0 before 2.0.2 are vulnerable.
All versions of Ipsilon 1.2 before 1.2.1 are vulnerable.
All versions of Ipsilon 1.1 before 1.1.2 are vulnerable.
All versions of Ipsilon 1.0 before 1.0.3 are vulnerable.
Name: Patrick Uiterwijk (Red Hat), Howard Johnson
Created attachment 1218514 [details]
Created ipsilon tracking bugs for this issue:
Affects: fedora-all [bug 1396973]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2809 https://rhn.redhat.com/errata/RHSA-2016-2809.html
*** Bug 1526610 has been marked as a duplicate of this bug. ***