CVE-2023-20866: Spring Session session ID can be logged to the standard output stream

April 13, 2023 (updated April 17, 2023)

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

References

github.com/advisories/GHSA-r7qr-f43m-pxfr
github.com/spring-projects/spring-session/commit/c98a7be0e2ced7f795018f05397dca4bd5ca8212
github.com/spring-projects/spring-session/issues/2215
nvd.nist.gov/vuln/detail/CVE-2023-20866
spring.io/security/cve-2023-20866

Detect and mitigate CVE-2023-20866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →