CVE-2025-22216 | THREATINT

Description

A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.

PUBLISHED Reserved 2025-01-02 | Published 2025-01-31 | Updated 2025-01-31 | Assigner vmware

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Product status

Default status

affected

77.20.X (release) before 77.20.2

affected

77.2X.0 (RELEASE) before 77.25.0

affected

References

www.cloudfoundry.org/...5-22216-uaa-missing-zone-validation/

cve.org (CVE-2025-22216)

nvd.nist.gov (CVE-2025-22216)

Download JSON