CVE-2023-20866

2023-04-1320:15:08

CWE-200

vmware

web.nvd.nist.gov

spring session

vulnerability

session hijacking

cve-2023-20866

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

22.8%

JSON

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

Affected configurations

Nvd

Node

vmwarespring_sessionMatch3.0.0

VendorProductVersionCPE
vmwarespring_session3.0.0cpe:2.3:a:vmware:spring_session:3.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	spring_session	3.0.0	cpe:2.3:a:vmware:spring_session:3.0.0:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Spring Session",
    "versions": [
      {
        "version": "Spring session versions 3.0.x prior to 3.0.1",
        "status": "affected"
      }
    ]
  }
]