CVE-2015-0201

CWE-2546 documents6 sources

Severity

5.0MEDIUM

EPSS

0.2%

top 60.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Software Spring Framework Vmware Spring Framework

Timeline

PublishedMar 10

Latest updateOct 17

Description

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDpivotal_software/spring_framework4.1.0

▶Mavenorg.springframework:spring-core4.1.0 — 4.1.5

▶NVDvmware/spring_framework4 versions+3

🔴Vulnerability Details

OSV

Moderate severity vulnerability that affects org.springframework:spring-core↗2018-10-17

▶

GHSA

Moderate severity vulnerability that affects org.springframework:spring-core↗2018-10-17

▶

CVEList

CVE-2015-0201: The Java SockJS client in Pivotal Spring Framework 4↗2015-03-10

▶

📋Vendor Advisories

Debian

CVE-2015-0201: libspring-java - The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates ...↗2015

▶

💬Community

Bugzilla

CVE-2015-0201 Spring Framework: insufficiently random session ID in Java SockJS client↗2015-03-11

▶