CVE-2025-22216

A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.cloudfoundry.org/blog/cve-2025-22216-uaa-missing-zone-validation/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Un UAA configurado con múltiples zonas de identidad no valida correctamente la información de la sesión en esas zonas. Un usuario autenticado con un IDP corporativo puede reutilizar su jsessionid para acceder a otras zonas.

31 Jan 2025, 18:15

Type	Values Removed	Values Added
CWE		CWE-384

31 Jan 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-31 06:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-22216

Mitre link : CVE-2025-22216

CVE.ORG link : CVE-2025-22216

JSON object : View

Products Affected

No product.

CWE

CWE-384

Session Fixation

5.4 /10