Vulnerability Details : CVE-2019-10158
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
Products affected by CVE-2019-10158
- cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10158
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10158
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
Red Hat, Inc. | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-10158
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2019-10158
-
https://github.com/infinispan/infinispan/pull/7025
ISPN-10224 Fix session protection by karesti · Pull Request #7025 · infinispan/infinispan · GitHubThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158
1714359 – (CVE-2019-10158) CVE-2019-10158 infinispan: Session fixation protection broken for Spring Session integrationIssue Tracking;Patch;Third Party Advisory
-
https://github.com/infinispan/infinispan/pull/6960
ISPN-10224 Fix session fixation protection by thelateperseus · Pull Request #6960 · infinispan/infinispan · GitHubThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20231227-0009/
CVE-2019-10158 Infinispan Vulnerability in NetApp Products | NetApp Product Security
Jump to