CVE-2023-20866: Infoleak
First published: Thu Apr 13 2023(Updated: )
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vmware Spring Session | =3.0.0 | |
| =3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-20866?
The severity of CVE-2023-20866 is medium with a CVSS score of 6.5.
How does CVE-2023-20866 expose sensitive information?
CVE-2023-20866 exposes sensitive information by logging the session ID to the standard output stream, which can be accessed by those who have access to the application logs.
What is the impact of CVE-2023-20866?
The impact of CVE-2023-20866 is session hijacking, as the exposed session ID can be used by attackers to hijack user sessions.
How can I fix CVE-2023-20866?
To fix CVE-2023-20866, upgrade to a fixed version of Spring Session where the vulnerability is patched.
Where can I find more information about CVE-2023-20866?
More information about CVE-2023-20866 can be found at the following reference URL: [Spring Security Advisory](https://spring.io/security/cve-2023-20866).
- collector/nvd-index
- agent/type
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/first-publish-date
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/vmware
- canonical/vmware spring session
- version/vmware spring session/3.0.0