CVE-2015-5171: Cloud Foundry Runtime Insufficient Session Expiration vulnerability
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64421%
CWE
Published
5/13/2022
Updated
2/28/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.cloudfoundry.identity:cloudfoundry-identity-server | maven | < 2.5.2 | 2.5.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient session expiration after password changes. Key issues include: 1) The ChangePasswordController
only invalidated the current session, leaving others active. 2) JdbcScimUserProvisioning
's timestamp handling lacked precision alignment for comparison. 3) UaaAuthentication
lacked critical timing metadata. The patch addresses these by adding session-wide checks (SessionResetFilter
), timestamp normalization, and authentication time tracking.