CVE-2023-20866 — Spring Session session ID can be logged to the standard output stream

Description

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

How to fix CVE-2023-20866

To remediate CVE-2023-20866, upgrade the affected package to a fixed version below.

—upgrade to 3.0.1 or later

Is CVE-2023-20866 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.0.0, < 3.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-20866
PATCHgithub.com/spring-projects/spring-session
WEBgithub.com/spring-projects/spring-session/commit/c98a7be0e2ced7f795018f05397dca4bd5ca8212
WEBgithub.com/spring-projects/spring-session/issues/2215