CVE-2015-5171 — Insufficient Session Expiration in Cf-release

CWE-613 — Insufficient Session Expiration5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 34.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudfoundry Cf-release Pivotal Software Cloud Foundry Elastic Runtime Pivotal Software Cloud Foundry UAA

Timeline

PublishedOct 24

Latest updateMay 13

Description

The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDpivotal_software/cloud_foundry_elastic_runtime< 1.7.0

▶NVDcloudfoundry/cf-release< 216

▶NVDpivotal_software/cloud_foundry_uaa< 2.5.2

🔴Vulnerability Details

OSV

Cloud Foundry Runtime Insufficient Session Expiration vulnerability↗2022-05-13

▶

GHSA

Cloud Foundry Runtime Insufficient Session Expiration vulnerability↗2022-05-13

▶

CVEList

CVE-2015-5171: The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2↗2017-10-24

▶

📄Research Papers

arXiv

SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning↗2022-03-22

▶