=====================================================================

                                CERT-Renater

                     Note d'Information No. 2023/VULN158
_____________________________________________________________________

DATE                : 14/04/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Session versions 3.0.0.

=====================================================================
https://spring.io/security/cve-2023-20866/
_____________________________________________________________________

CVE-2023-20866: Session ID can be logged to the standard output
stream in Spring Session
MEDIUM | APRIL 12, 2023 | CVE-2023-20866

Description

In Spring Session version 3.0.0, the session id can be
logged to the standard output stream. This vulnerability
exposes sensitive information to those who have access
to the application logs and can be used for session hijacking.

Specifically, an application is vulnerable when the following
is true:

     You are using the HeaderHttpSessionIdResolver

An application is not vulnerable if any of the following is true:

     You are not using the HeaderHttpSessionIdResolver

Affected Spring Products and Versions

Spring Session 3.0.0


Mitigation

Users of affected versions should upgrade to Spring Session
3.0.1. Releases that have fixed this issue include:

     Spring Session 3.0.1

Credit

This issue was identified and responsibly reported by
Benedikt Halser from DATEV eG


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================