Session Fixation Affecting org.cloudfoundry.identity:cloudfoundry-identity-uaa package, versions [,2.7.4.9][3.0.0,3.9.1]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (64th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGCLOUDFOUNDRYIDENTITY-31411
  • published21 May 2017
  • disclosed31 Mar 2017
  • creditGE Digital Security Team

Introduced: 31 Mar 2017

CVE-2017-4963  (opens in a new tab)
CWE-384  (opens in a new tab)

Overview

org.cloudfoundry.identity:cloudfoundry-identity-uaa Affected versions of this package are vulnerable to session fixation attacks via the User Account and Authentication (UAA). When UAA is configured to authenticate against external SAML or OpenID Connect based identity providers.

CVSS Scores

version 3.1