CVE-2015-0201

2015-03-1014:59:04

CWE-254

[email protected]

web.nvd.nist.gov

cve-2015-0201

java

sockjs

pivotal

spring framework

remote attacks

session ids

6.8 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

70.4%

JSON

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Affected configurations

NVD

Node

pivotal_softwarespring_frameworkMatch4.1.0

vmwarespring_frameworkMatch4.1.1

vmwarespring_frameworkMatch4.1.2

vmwarespring_frameworkMatch4.1.3

vmwarespring_frameworkMatch4.1.4

CPENameOperatorVersion
pivotal_software:spring_frameworkpivotal software spring frameworkeq4.1.0
vmware:spring_frameworkvmware spring frameworkeq4.1.1
vmware:spring_frameworkvmware spring frameworkeq4.1.2
vmware:spring_frameworkvmware spring frameworkeq4.1.3
vmware:spring_frameworkvmware spring frameworkeq4.1.4

CPE	Name	Operator	Version
pivotal_software:spring_framework	pivotal software spring framework	eq	4.1.0
vmware:spring_framework	vmware spring framework	eq	4.1.1
vmware:spring_framework	vmware spring framework	eq	4.1.2
vmware:spring_framework	vmware spring framework	eq	4.1.3
vmware:spring_framework	vmware spring framework	eq	4.1.4