Описание
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
A flaw was found in Spring Session. If using HeaderHttpSessionIdResolver, the session id can be logged to the standard output stream. This may log sensitive information and could be used by an attacker for session hijacking.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Data Grid 8 | spring-session | Not affected | ||
| Red Hat JBoss Data Grid 7 | spring-session | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | spring-session | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | spring-session | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces-pluginregistry-rhel8-container=new | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.
Spring Session session ID can be logged to the standard output stream
EPSS
6.5 Medium
CVSS3