Session Hijacking Vulnerability in Spring Session by VMWare
CVE-2023-20866
6.5MEDIUM
Summary
In Spring Session version 3.0.0, sensitive session IDs can inadvertently be logged to the standard output stream, potentially exposing them to unauthorized users who have access to application logs. This can lead to session hijacking attacks. The vulnerability specifically affects applications utilizing the HeaderHttpSessionIdResolver, making it crucial for developers to ensure that logging practices do not compromise sensitive information.
Affected Version(s)
Spring Session Spring session versions 3.0.x prior to 3.0.1
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved