CVE-2023-20866
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Published: Apr 13, 2023 / Updated: 19mo ago
010
CVSS 6.5EPSS 0.05%Medium
CVE info copied to clipboard
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Timeline
First Article
Feedly found the first article mentioning CVE-2023-20866. See article
Apr 12, 2023 at 1:19 PM / spring.io
EPSS
EPSS Score was set to: 0.05% (Percentile: 12.9%)
Sep 19, 2023 at 4:47 AM
Affected Systems
Vmware/spring_session
+null more
Patches
bugzilla.redhat.com
+null more
Links to Mitre Att&cks
T1562.003: Impair Command History Logging
+null more
Attack Patterns
CAPEC-116: Excavation
+null more
News
Information disclosure in IBM Process Mining
The vulnerability allows a remote user to gain access to potentially sensitive information. This security bulletin contains one low risk vulnerability.
Security Bulletin: Vulnerability in Spring Session affects IBM Process Mining . CVE-2023-20866
Vulnerability Details CVEID: CVE-2023-20866 DESCRIPTION: VMware Tanzu Spring Session could allow a local authenticated attacker to obtain sensitive information, caused by the storage of the session id in the log file. Search for M0FHQML Process Mining 1.14.2 Server Multiplatform Multilingual 3.
CVE-2023-20866
This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. - CVSS Scores & Vulnerability Types
🚨 NEW: CVE-2023-20866 🚨 In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs... (click for more) Severity: MEDIUM https://nvd.nist.gov/vuln/detail/CVE-2023-20866
🚨 NEW: CVE-2023-20866 🚨 In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs... (click for more) Severity: MEDIUM nvd.nist.gov/vuln/detail/CVE…
[GHSA-r7qr-f43m-pxfr] Spring Session session ID can be logged to the standard output stream
GitHub Security Advisory: GHSA-r7qr-f43m-pxfr Release Date: 2023-04-13 Update Date: 2023-04-17 Severity: Moderate CVE-2023-20866 Package Information Package: org.springframework.session:spring-session-core Affected Versions: = 3.0.0 Patched Versions: 3.0.1 Description In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
See 9 more articles and social media posts