CVE-2015-0201

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Published Bysecalert@redhat.com

Published DateMar 10, 2015, 14:59

Affected Versions(1)

org.springframework:spring-core(Maven)

Introduced4.1.0

Fixed4.1.5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.springframework:spring-core(Maven)	4.1.0	4.1.5	N/A

Weakness Type (CWE):CWE-254

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

https://pivotal.io/security/cve-2015-0201

Weakness Type (CWE):CWE-254

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE