Session Hijacking Vulnerability in Spring Session by VMWare
CVE-2023-20866

6.5MEDIUM

Key Information:

Vendor
Vmware
Vendor
CVE Published:
13 April 2023

Summary

In Spring Session version 3.0.0, sensitive session IDs can inadvertently be logged to the standard output stream, potentially exposing them to unauthorized users who have access to application logs. This can lead to session hijacking attacks. The vulnerability specifically affects applications utilizing the HeaderHttpSessionIdResolver, making it crucial for developers to ensure that logging practices do not compromise sensitive information.

Affected Version(s)

Spring Session Spring session versions 3.0.x prior to 3.0.1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.