CVE-2023-20866

CVE-2023-20866

Vendor N/A

Product Spring Session

Weakness CWE-200 · Info exposure

Published April 13, 2023

Last update February 7, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

Key dates

02Disclosure timeline

April 13, 2023 CVE published

February 7, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-20866 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

01Description

02Disclosure timeline

03References

04Related CVE