Miggo Logo

CVE-2015-5171: Cloud Foundry Runtime Insufficient Session Expiration vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.64421%
Published
5/13/2022
Updated
2/28/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.cloudfoundry.identity:cloudfoundry-identity-servermaven< 2.5.22.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient session expiration after password changes. Key issues include: 1) The ChangePasswordController only invalidated the current session, leaving others active. 2) JdbcScimUserProvisioning's timestamp handling lacked precision alignment for comparison. 3) UaaAuthentication lacked critical timing metadata. The patch addresses these by adding session-wide checks (SessionResetFilter), timestamp normalization, and authentication time tracking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p*sswor* ***n** *un*tion*lity in *lou* *oun*ry Runtim* **-r*l**s* ***or* ***, U** ***or* *.*.*, *n* Pivot*l *lou* *oun*ry (P**) *l*sti* Runtim* ***or* *.*.* *llow *tt**k*rs to **v* unsp**i*i** imp**t *y l*v*r**in* **ilur* to *xpir* *xistin* s*ssi

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt s*ssion *xpir*tion **t*r p*sswor* ***n**s. K*y issu*s in*lu**: *) T** `***n**P*sswor**ontroll*r` only inv*li**t** t** *urr*nt s*ssion, l**vin* ot**rs **tiv*. *) `J***S*imUs*rProvisionin*`'s tim*st*mp **n*lin*