CVE-2023-20866

Published: Apr 13, 2023

Modified: Feb 7, 2025

PUBLISHED

Description

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

Vendor	Product	Versions
n/a	Spring Session	affected `Spring session versions 3.0.x prior to 3.0.1`

Weaknesses (CWE)

CWE-200

References

https://spring.io/security/cve-2023-20866

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-20866

Description

Affected Products

Weaknesses (CWE)

References