In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
References
Link | Resource |
---|---|
https://spring.io/security/cve-2023-20866 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: vmware
Published: 2023-04-13T00:00:00
Updated: 2023-04-13T00:00:00
Reserved: 2022-11-01T00:00:00
Link: CVE-2023-20866
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-04-13T20:15:08.263
Modified: 2023-04-21T18:51:45.193
Link: CVE-2023-20866
JSON object: View
Redhat Information
No data.