Session Fixation Vulnerability in Infinispan by Red Hat
CVE-2019-10158

5.4MEDIUM

Key Information:

Vendor
Red Hat
Status
Infinispan
Vendor
CVE Published:
2 January 2020

Summary

Infinispan, up to version 9.4.14.Final, has a vulnerability due to improper implementation of session fixation protection within the Spring Session integration. This flaw can lead to incorrect session handling, allowing attackers the potential to exploit user sessions effectively. This vulnerability underscores the importance of robust session management in web applications to maintain user security and application integrity.

Affected Version(s)

infinispan

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158
x_refsource_CONFIRM
https://github.com/infinispan/infinispan/pull/6960
x_refsource_CONFIRM
https://github.com/infinispan/infinispan/pull/7025
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.