CVE-2019-10158

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/infinispan/infinispan/pull/6960	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158	Issue Tracking Patch Third Party Advisory
https://github.com/infinispan/infinispan/pull/7025	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*

Information

Published : 2020-01-02 07:15

Updated : 2020-01-10 08:12

NVD link : CVE-2019-10158

Mitre link : CVE-2019-10158

JSON object : View

CWE

CWE-384

Session Fixation

Advertisement

Products Affected

infinispan

infinispan

redhat

jboss_data_grid

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/infinispan/infinispan/pull/6960", "name": "https://github.com/infinispan/infinispan/pull/6960", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/infinispan/infinispan/pull/7025", "name": "https://github.com/infinispan/infinispan/pull/7025", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-384"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-10158", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2020-01-02T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "9.4.14"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2020-01-10T16:12Z"}