Описание
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:vmware:spring_session:3.0.0:*:*:*:*:*:*:*
EPSS
Процентиль: 64%
0.00462
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-200
NVD-CWE-noinfo
CWE-200
Связанные уязвимости
CVSS3: 6.5
redhat
почти 3 года назад
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
CVSS3: 6.5
github
почти 3 года назад
Spring Session session ID can be logged to the standard output stream
EPSS
Процентиль: 64%
0.00462
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-200
NVD-CWE-noinfo
CWE-200