PT-2023-17681 · Unknown · Spring Session

Benedikt Halser

Published

2023-04-13

Updated

2023-04-21

CVE-2023-20866

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Spring Session version 3.0.0

Description The session id can be logged to the standard output stream, exposing sensitive information to those who have access to the application logs. This can be used for session hijacking, specifically in applications using HeaderHttpSessionIdResolver.

Recommendations For Spring Session version 3.0.0, consider disabling the HeaderHttpSessionIdResolver to minimize the risk of exploitation until a patch is available. Restrict access to application logs to prevent unauthorized access to sensitive session information.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2023-20866

GHSA-R7QR-F43M-PXFR

Affected Products

Spring Session

PT-2023-17681 · Unknown · Spring Session

CVE-2023-20866

Weakness Enumeration

Related Identifiers

Affected Products

References · 9