Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-20866

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

Published

2023-04-13T20:15:08.263

Last Modified

2025-02-07T17:15:24.140

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_session	3.0.0	Yes

References

https://spring.io/security/cve-2023-20866 Vendor Advisory ([email protected])
https://spring.io/security/cve-2023-20866 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)