Vulnerability-Lookup

CVE-2015-0201 (GCVE-0-2015-0201)

Vulnerability from cvelistv5 – Published: 2015-03-10 14:00 – Updated: 2024-08-06 04:03

Summary

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Severity

No CVSS data available.

CWE

Assigner

redhat

References

1 reference

URL	Tags
https://pivotal.io/security/cve-2015-0201	x_refsource_CONFIRM

Date Public

2015-03-06 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:03:10.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://pivotal.io/security/cve-2015-0201"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-03-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2015-03-10T13:57:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://pivotal.io/security/cve-2015-0201"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0201",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pivotal.io/security/cve-2015-0201",
              "refsource": "CONFIRM",
              "url": "https://pivotal.io/security/cve-2015-0201"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-0201",
    "datePublished": "2015-03-10T14:00:00.000Z",
    "dateReserved": "2014-11-18T00:00:00.000Z",
    "dateUpdated": "2024-08-06T04:03:10.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2015-0201",
      "date": "2026-05-31",
      "epss": "0.00182",
      "percentile": "0.39595"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"01D83EE4-F71B-4186-A34E-9128B6DA333B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC1A4DB1-083B-4AAB-B1A2-CFFD487A1FBF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"53D5991E-2CD0-42D9-8158-25FF18275B21\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"130DBD54-EF87-4A90-A727-F2BFFBF2DFA2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FDB59905-C658-4EFD-B073-FE84F0BF1DDB\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.\"}, {\"lang\": \"es\", \"value\": \"El cliente Java SockJS en Pivotal Spring Framework 4.1.x anterior a 4.1.5 genera identificadores de sesiones previsibles, lo que permite a atacantes remotos enviar mensajes a otras sesiones a trav\\u00e9s de vectores no especificados.\"}]",
      "id": "CVE-2015-0201",
      "lastModified": "2024-11-21T02:22:31.707",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": true, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2015-03-10T14:59:04.350",
      "references": "[{\"url\": \"https://pivotal.io/security/cve-2015-0201\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://pivotal.io/security/cve-2015-0201\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-254\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2015-0201\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-03-10T14:59:04.350\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.\"},{\"lang\":\"es\",\"value\":\"El cliente Java SockJS en Pivotal Spring Framework 4.1.x anterior a 4.1.5 genera identificadores de sesiones previsibles, lo que permite a atacantes remotos enviar mensajes a otras sesiones a trav\u00e9s de vectores no especificados.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-254\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"01D83EE4-F71B-4186-A34E-9128B6DA333B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC1A4DB1-083B-4AAB-B1A2-CFFD487A1FBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"53D5991E-2CD0-42D9-8158-25FF18275B21\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"130DBD54-EF87-4A90-A727-F2BFFBF2DFA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDB59905-C658-4EFD-B073-FE84F0BF1DDB\"}]}]}],\"references\":[{\"url\":\"https://pivotal.io/security/cve-2015-0201\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://pivotal.io/security/cve-2015-0201\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2015-01644

Vulnerability from cnvd - Published: 2015-03-13

Title

Pivotal Software Spring Framework Java SockJS客户端存在未明漏洞

Description

Pivotal Software Spring Framework是美国Pivotal Software公司的一套开源的Java、Java EE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Pivotal Software Spring Framework 4.1.5之前4.1.x版本的Java SockJS客户端中存在安全漏洞，该漏洞源于程序生成可预测的会话ID。远程攻击者可利用该漏洞向其他会话发送消息。

Severity

中

Patch Name

Pivotal Software Spring Framework Java SockJS客户端存在未明漏洞的补丁

Patch Description

Pivotal Software Spring Framework是美国Pivotal Software公司的一套开源的Java、Java EE应用程序框架。该框架可帮助开发人员构建高质量的应用。Pivotal Software Spring Framework 4.1.5之前4.1.x版本的Java SockJS客户端中存在安全漏洞，该漏洞源于程序生成可预测的会话ID。远程攻击者可利用该漏洞向其他会话发送消息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://pivotal.io/security/cve-2015-0201

Reference

https://pivotal.io/security/cve-2015-0201

Impacted products

Name
['Pivotal Software Spring Framework 4.1.0', 'Pivotal Software Spring Framework 4.1.1', 'Pivotal Software Spring Framework 4.1.2', 'Pivotal Software Spring Framework 4.1.3', 'Pivotal Software Spring Framework 4.1.4']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "73036"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-0201"
    }
  },
  "description": "Pivotal Software Spring Framework\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Java\u3001Java EE\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\u3002\u8be5\u6846\u67b6\u53ef\u5e2e\u52a9\u5f00\u53d1\u4eba\u5458\u6784\u5efa\u9ad8\u8d28\u91cf\u7684\u5e94\u7528\u3002\r\n\r\nPivotal Software Spring Framework 4.1.5\u4e4b\u524d4.1.x\u7248\u672c\u7684Java SockJS\u5ba2\u6237\u7aef\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u751f\u6210\u53ef\u9884\u6d4b\u7684\u4f1a\u8bddID\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u5176\u4ed6\u4f1a\u8bdd\u53d1\u9001\u6d88\u606f\u3002",
  "discovererName": "Pivotal Software",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://pivotal.io/security/cve-2015-0201",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-01644",
  "openTime": "2015-03-13",
  "patchDescription": "Pivotal Software Spring Framework\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684Java\u3001Java EE\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\u3002\u8be5\u6846\u67b6\u53ef\u5e2e\u52a9\u5f00\u53d1\u4eba\u5458\u6784\u5efa\u9ad8\u8d28\u91cf\u7684\u5e94\u7528\u3002Pivotal Software Spring Framework 4.1.5\u4e4b\u524d4.1.x\u7248\u672c\u7684Java SockJS\u5ba2\u6237\u7aef\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u751f\u6210\u53ef\u9884\u6d4b\u7684\u4f1a\u8bddID\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5411\u5176\u4ed6\u4f1a\u8bdd\u53d1\u9001\u6d88\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pivotal Software Spring Framework Java SockJS\u5ba2\u6237\u7aef\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal Software Spring Framework 4.1.0",
      "Pivotal Software Spring Framework 4.1.1",
      "Pivotal Software Spring Framework 4.1.2",
      "Pivotal Software Spring Framework 4.1.3",
      "Pivotal Software Spring Framework 4.1.4"
    ]
  },
  "referenceLink": "https://pivotal.io/security/cve-2015-0201",
  "serverity": "\u4e2d",
  "submitTime": "2015-03-12",
  "title": "Pivotal Software Spring Framework Java SockJS\u5ba2\u6237\u7aef\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

FKIE_CVE-2015-0201

Vulnerability from fkie_nvd - Published: 2015-03-10 14:59 - Updated: 2026-05-06 22:30

Severity

Summary

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

References

	URL	Tags
	secalert@redhat.com	https://pivotal.io/security/cve-2015-0201	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://pivotal.io/security/cve-2015-0201	Vendor Advisory

Impacted products

Vendor	Product	Version
pivotal_software	spring_framework	4.1.0
vmware	spring_framework	4.1.1
vmware	spring_framework	4.1.2
vmware	spring_framework	4.1.3
vmware	spring_framework	4.1.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "01D83EE4-F71B-4186-A34E-9128B6DA333B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC1A4DB1-083B-4AAB-B1A2-CFFD487A1FBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "53D5991E-2CD0-42D9-8158-25FF18275B21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "130DBD54-EF87-4A90-A727-F2BFFBF2DFA2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDB59905-C658-4EFD-B073-FE84F0BF1DDB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "El cliente Java SockJS en Pivotal Spring Framework 4.1.x anterior a 4.1.5 genera identificadores de sesiones previsibles, lo que permite a atacantes remotos enviar mensajes a otras sesiones a trav\u00e9s de vectores no especificados."
    }
  ],
  "id": "CVE-2015-0201",
  "lastModified": "2026-05-06T22:30:45.220",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-03-10T14:59:04.350",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2015-0201"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2015-0201"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-254"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-45VG-2V73-VM62

Vulnerability from github – Published: 2018-10-17 20:28 – Updated: 2024-03-05 18:20

Summary

Moderate severity vulnerability that affects org.springframework:spring-core

Details

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-0201"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:57:30Z",
    "nvd_published_at": "2015-03-10T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.",
  "id": "GHSA-45vg-2v73-vm62",
  "modified": "2024-03-05T18:20:18Z",
  "published": "2018-10-17T20:28:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/d63cfc8eebc396be009e733a81ebb4c984811f6e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/dc5b5ca8ee09c890352f89b2dae58bc0132d6545"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-45vg-2v73-vm62"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-framework"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2015-0201"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Moderate severity vulnerability that affects org.springframework:spring-core"
}

GSD-2015-0201

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Aliases

CVE-2015-0201

Aliases

CVE-2015-0201

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-0201",
    "description": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.",
    "id": "GSD-2015-0201"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-0201"
      ],
      "details": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.",
      "id": "GSD-2015-0201",
      "modified": "2023-12-13T01:19:58.465883Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-0201",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://pivotal.io/security/cve-2015-0201",
            "refsource": "CONFIRM",
            "url": "https://pivotal.io/security/cve-2015-0201"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[4.1.0,4.1.5)",
          "affected_versions": "All versions starting from 4.1.0 before 4.1.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2021-08-31",
          "description": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.",
          "fixed_versions": [
            "4.1.5"
          ],
          "identifier": "CVE-2015-0201",
          "identifiers": [
            "GHSA-45vg-2v73-vm62",
            "CVE-2015-0201"
          ],
          "not_impacted": "All versions before 4.1.0, all versions starting from 4.1.5",
          "package_slug": "maven/org.springframework/spring-core",
          "pubdate": "2018-10-17",
          "solution": "Upgrade to version 4.1.5 or above.",
          "title": "Moderate severity vulnerability that affects org.springframework:spring-core",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2015-0201",
            "https://github.com/advisories/GHSA-45vg-2v73-vm62",
            "https://pivotal.io/security/cve-2015-0201"
          ],
          "uuid": "98a50773-aebb-497a-8a01-bd2fb77f4399"
        },
        {
          "affected_range": "[4.1.0.RELEASE,4.1.5.RELEASE)",
          "affected_versions": "All versions starting from 4.1.0.RELEASE before 4.1.4.RELEASE",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2015-03-11",
          "description": "The Java SockJS client in this package generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.",
          "fixed_versions": [
            "4.1.5.RELEASE"
          ],
          "identifier": "CVE-2015-0201",
          "identifiers": [
            "CVE-2015-0201"
          ],
          "package_slug": "maven/org.springframework/spring-websocket",
          "pubdate": "2015-03-10",
          "solution": "Upgrade to version 4.1.5 or above.",
          "title": "Insufficiently random session id in Java SockJS client",
          "urls": [
            "http://pivotal.io/security/cve-2015-0201",
            "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0201"
          ],
          "uuid": "33e2b8bd-74d3-4a1b-b749-26ce475e1d68"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-0201"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-254"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pivotal.io/security/cve-2015-0201",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://pivotal.io/security/cve-2015-0201"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": true,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2022-04-11T17:18Z",
      "publishedDate": "2015-03-10T14:59Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-0201 (GCVE-0-2015-0201)

CNVD-2015-01644

FKIE_CVE-2015-0201

GHSA-45VG-2V73-VM62

GSD-2015-0201

Tags

Sightings

Nomenclature