{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22216", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:29:30.443Z", "datePublished": "2025-01-31T05:47:24.901Z", "dateUpdated": "2025-01-31T17:42:22.937Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "UAA", "platforms": ["any"], "product": "Cloud Foundry UAA", "vendor": "Cloud Foundry", "versions": [{"lessThan": "77.20.2", "status": "affected", "version": "77.20.X", "versionType": "release"}, {"lessThan": "77.25.0", "status": "affected", "version": "77.2X.0", "versionType": "RELEASE"}]}], "datePublic": "2025-01-29T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.&nbsp;</p>"}], "value": "A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-01-31T05:47:24.901Z"}, "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2025-22216-uaa-missing-zone-validation/"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2025-22216 UAA Missing Zone Validation", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-384", "lang": "en", "description": "CWE-384 Session Fixation"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-31T17:41:49.840635Z", "id": "CVE-2025-22216", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-31T17:42:22.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22216", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-31T17:41:49.840635Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384 Session Fixation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-31T17:42:18.511Z"}}], "cna": {"title": "CVE-2025-22216 UAA Missing Zone Validation", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Cloud Foundry", "product": "Cloud Foundry UAA", "versions": [{"status": "affected", "version": "77.20.X", "lessThan": "77.20.2", "versionType": "release"}, {"status": "affected", "version": "77.2X.0", "lessThan": "77.25.0", "versionType": "RELEASE"}], "platforms": ["any"], "packageName": "UAA", "defaultStatus": "affected"}], "datePublic": "2025-01-29T14:00:00.000Z", "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2025-22216-uaa-missing-zone-validation/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.", "supportingMedia": [{"type": "text/html", "value": "<p>A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.&nbsp;</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-01-31T05:47:24.901Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22216", "state": "PUBLISHED", "dateUpdated": "2025-01-31T17:42:22.937Z", "dateReserved": "2025-01-02T04:29:30.443Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2025-01-31T05:47:24.901Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones."}, {"lang": "es", "value": "Un UAA configurado con m\u00faltiples zonas de identidad no valida correctamente la informaci\u00f3n de la sesi\u00f3n en esas zonas. Un usuario autenticado con un IDP corporativo puede reutilizar su jsessionid para acceder a otras zonas."}], "id": "CVE-2025-22216", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2025-01-31T06:15:30.090", "references": [{"source": "security@vmware.com", "url": "https://www.cloudfoundry.org/blog/cve-2025-22216-uaa-missing-zone-validation/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}