CVE-2019-10158 — Improper implementation of the session fixation protection in Infinispan

Description

A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

How to fix CVE-2019-10158

To remediate CVE-2019-10158, upgrade the affected package to a fixed version below.

Maven/org.infinispan:infinispan-core—upgrade to 9.4.15.Final or later

Is CVE-2019-10158 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.4.15.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10158
PATCHgithub.com/infinispan/infinispan
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158
WEBgithub.com/infinispan/infinispan/commit/4b381c5910265972ccaabefbdbd16a2b929f6b72