VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 2, 2020· Updated Feb 13, 2025

CVE-2019-10158

CVE-2019-10158

Description

Infinispan up to 9.4.14.Final has broken session fixation protection in its Spring Session integration due to improper implementation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Infinispan up to 9.4.14.Final has broken session fixation protection in its Spring Session integration due to improper implementation.

Vulnerability

Overview

CVE-2019-10158 is a flaw found in Infinispan versions through 9.4.14.Final. The root cause is an improper implementation of session fixation protection in the Spring Session integration, which can result in incorrect session handling [1][2][3]. The vulnerability affects how sessions are created and tracked, potentially allowing a session to be reused or assigned without proper validation.

Attack

Vector

An attacker with network access to an application using Infinispan’s Spring Session integration could exploit this issue by manipulating session identifiers before authentication. Since the protection is broken, the application might not replace the session ID upon login, enabling session fixation attacks [3]. No authentication is required to initiate the attack; however, the attacker would need to know or control a session ID that a victim uses.

Impact

Successful exploitation could allow an attacker to hijack a valid user session after the user authenticates. This could lead to unauthorized access to the user’s session data and application functions. The impact is rated as medium severity according to Red Hat [3].

Mitigation

Red Hat has acknowledged the issue and the fix is available in the Infinispan repository [1][2]. Patched versions (post-9.4.14.Final) should be used to mitigate the risk. Users can also work around the issue by additional session management controls outside of the integration. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the last update.

References
  1. [9.4.x] ISPN 10224 Fix session fixation protection by karesti · Pull Request #7043 · infinispan/infinispan
  2. ISPN-10224 Fix session fixation protection by thelateperseus · Pull Request #6960 · infinispan/infinispan
  3. Session fixation protection broken for Spring Session integration

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.infinispan:infinispan-coreMaven
< 9.4.15.Final9.4.15.Final

Affected products

2

Patches

1
4b381c591026

ISPN-10224 Skip Listener notification on remove

https://github.com/infinispan/infinispanKatia ArestiJun 19, 2019via ghsa
commit
7 files changed · +66 2
  • spring/spring5/spring5-common/src/main/java/org/infinispan/spring/common/provider/SpringCache.java+4 0 modified
    @@ -251,4 +251,8 @@ static RuntimeException throwValueRetrievalException(Object key, Callable<?> loa
          return new ValueRetrievalException(key, loader, ex);
       }
    }
+
+   public long getWriteTimeout() {
+      return writeTimeout;
+   }
 }
  • spring/spring5/spring5-common/src/main/java/org/infinispan/spring/common/session/AbstractInfinispanSessionRepository.java+3 1 modified
    @@ -67,11 +67,13 @@ public MapSession createSession() {
    @Override
    public void save(MapSession session) {
       if (!session.getId().equals(session.getOriginalId())) {
-         deleteById(session.getOriginalId());
+         removeFromCacheWithoutNotifications(session.getOriginalId());
       }
       cache.put(session.getId(), session, session.getMaxInactiveInterval().getSeconds(), TimeUnit.SECONDS);
    }
 
+   protected abstract void removeFromCacheWithoutNotifications(String originalId);
+
    @Override
    public MapSession findById(String sessionId) {
       return getSession(sessionId, true);
  • spring/spring5/spring5-common/src/test/java/org/infinispan/spring/common/session/InfinispanApplicationPublishedBridgeTCK.java+17 0 modified
    @@ -66,6 +66,23 @@ public void testEventBridge() throws Exception {
       EventsWaiter.assertSessionContent(() -> eventsCollector.getEvents(), SessionDeletedEvent.class, sessionToBeDeleted.getId(), "foo", "bar", 2, TimeUnit.SECONDS);
    }
 
+   @Test
+   public void testEventBridgeWithSessionIdChange() throws Exception {
+      EventsCollector eventsCollector = new EventsCollector();
+      sessionRepository.setApplicationEventPublisher(eventsCollector);
+
+      MapSession session = sessionRepository.createSession();
+
+      sessionRepository.save(session);
+      session.changeSessionId();
+      sessionRepository.save(session);
+
+      EventsWaiter.assertNumberOfEvents(() -> eventsCollector.getEvents(), SessionCreatedEvent.class, 2, 2, TimeUnit.SECONDS);
+      EventsWaiter.assertNumberOfEvents(() -> eventsCollector.getEvents(), SessionDeletedEvent.class, 0, 2, TimeUnit.SECONDS);
+      EventsWaiter.assertNumberOfEvents(() -> eventsCollector.getEvents(), SessionDestroyedEvent.class, 0, 2, TimeUnit.SECONDS);
+      EventsWaiter.assertNumberOfEvents(() -> eventsCollector.getEvents(), SessionExpiredEvent.class, 0, 2, TimeUnit.SECONDS);
+   }
+
    protected void init() throws Exception {
       springCache = createSpringCache();
       sessionRepository = createRepository(springCache);
  • spring/spring5/spring5-embedded/src/main/java/org/infinispan/spring/embedded/session/InfinispanEmbeddedSessionRepository.java+8 0 modified
    @@ -1,5 +1,7 @@
 package org.infinispan.spring.embedded.session;
 
+import org.infinispan.Cache;
+import org.infinispan.context.Flag;
 import org.infinispan.spring.common.provider.SpringCache;
 import org.infinispan.spring.common.session.AbstractInfinispanSessionRepository;
 
@@ -19,4 +21,10 @@ public class InfinispanEmbeddedSessionRepository extends AbstractInfinispanSessi
    public InfinispanEmbeddedSessionRepository(SpringCache cache) {
       super(cache, new EmbeddedApplicationPublishedBridge(cache));
    }
+
+   @Override
+   protected void removeFromCacheWithoutNotifications(String originalId) {
+      Cache nativeCache = (Cache) cache.getNativeCache();
+      nativeCache.getAdvancedCache().withFlags(Flag.SKIP_LISTENER_NOTIFICATION).remove(originalId);
+   }
 }
  • spring/spring5/spring5-embedded/src/test/java/org/infinispan/spring/embedded/session/EmbeddedApplicationPublishedBridgeTest.java+5 0 modified
    @@ -62,4 +62,9 @@ public void testEventBridge() throws Exception {
    public void testUnregistration() throws Exception {
       super.testUnregistration();
    }
+
+   @Override
+   public void testEventBridgeWithSessionIdChange() throws Exception {
+      super.testEventBridgeWithSessionIdChange();
+   }
 }
  • spring/spring5/spring5-remote/src/main/java/org/infinispan/spring/remote/session/InfinispanRemoteSessionRepository.java+24 1 modified
    @@ -1,6 +1,13 @@
 package org.infinispan.spring.remote.session;
 
 
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+import org.infinispan.client.hotrod.Flag;
+import org.infinispan.client.hotrod.RemoteCache;
+import org.infinispan.commons.CacheException;
 import org.infinispan.spring.common.provider.SpringCache;
 import org.infinispan.spring.common.session.AbstractInfinispanSessionRepository;
 
@@ -11,7 +18,6 @@
  * @since 9.0
  */
 public class InfinispanRemoteSessionRepository extends AbstractInfinispanSessionRepository {
-
    /**
     * Creates new repository based on {@link SpringCache}
     *
@@ -20,4 +26,21 @@ public class InfinispanRemoteSessionRepository extends AbstractInfinispanSession
    public InfinispanRemoteSessionRepository(SpringCache cache) {
       super(cache, new RemoteApplicationPublishedBridge(cache));
    }
+
+   @Override
+   protected void removeFromCacheWithoutNotifications(String originalId) {
+      RemoteCache remoteCache = (RemoteCache) cache.getNativeCache();
+      if (cache.getWriteTimeout() > 0) {
+         try {
+            remoteCache.withFlags(Flag.SKIP_LISTENER_NOTIFICATION).removeAsync(originalId).get(cache.getWriteTimeout(), TimeUnit.MILLISECONDS);
+         } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
+            throw new CacheException(e);
+         } catch (ExecutionException | TimeoutException e) {
+            throw new CacheException(e);
+         }
+      } else {
+         remoteCache.withFlags(Flag.SKIP_LISTENER_NOTIFICATION).remove(originalId);
+      }
+   }
 }
  • spring/spring5/spring5-remote/src/test/java/org/infinispan/spring/remote/session/RemoteApplicationPublishedBridgeTest.java+5 0 modified
    @@ -95,6 +95,11 @@ public void testReadEventWithoutValue() {
       assertEquals(id, value.getId());
    }
 
+   @Override
+   public void testEventBridgeWithSessionIdChange() throws Exception {
+      super.testEventBridgeWithSessionIdChange();
+   }
+
    class TestEvent implements ClientCacheEntryCustomEvent<byte[]> {
 
       private String sessionId;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.