PT-2023-17681 · Unknown · Spring Session

Benedikt Halser

Publicado

2023-04-13

Atualizado

2023-04-21

CVE-2023-20866

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Spring Session version 3.0.0

Description The session id can be logged to the standard output stream, exposing sensitive information to those who have access to the application logs. This can be used for session hijacking, specifically in applications using HeaderHttpSessionIdResolver.

Recommendations For Spring Session version 3.0.0, consider disabling the HeaderHttpSessionIdResolver to minimize the risk of exploitation until a patch is available. Restrict access to application logs to prevent unauthorized access to sensitive session information.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2023-20866

GHSA-R7QR-F43M-PXFR

Produtos afetados

Spring Session

PT-2023-17681 · Unknown · Spring Session

CVE-2023-20866

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9