CVE-2025-22216Session Fixation in Foundry UAA

CWE-384Session Fixation3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 64.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cloud Foundry UAA
Timeline
PublishedJan 31

Description

A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

CVEListV5cloud_foundry/cloud_foundry_uaa77.20.X77.20.2+1

🔴Vulnerability Details

2
CVEList
CVE-2025-22216 UAA Missing Zone Validation2025-01-31
GHSA
GHSA-g68x-c5mc-5vwr: A UAA configured with multiple identity zones, does not properly validate session information across those zones2025-01-31
CVE-2025-22216 — Session Fixation in Cloud Foundry UAA | cvebase