Lucene search

GoogleOSV:GHSA-R7QR-F43M-PXFR

HistoryApr 13, 2023 - 9:30 p.m.

Spring Session session ID can be logged to the standard output stream

2023-04-1321:30:27

Google

osv.dev

spring session

version 3.0.0

vulnerability

session id

standard output

sensitive information

application logs

session hijacking

headerhttpsessionidresolver

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

CPENameOperatorVersion
org.springframework.session:spring-session-coreeq3.0.0

CPE	Name	Operator	Version
	org.springframework.session:spring-session-core	eq	3.0.0

References

github.com/spring-projects/spring-session

github.com/spring-projects/spring-session/commit/c98a7be0e2ced7f795018f05397dca4bd5ca8212

github.com/spring-projects/spring-session/issues/2215

nvd.nist.gov/vuln/detail/CVE-2023-20866

spring.io/security/cve-2023-20866

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for OSV:GHSA-R7QR-F43M-PXFR