Bug 2193230 (CVE-2023-20866)

Summary: CVE-2023-20866 spring-session: Improper log of session id in standard output stream
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, ivassile, iweiss, lgao, mosmerov, msochure, msvehla, nboldt, nwallace, pjindal, pmackay, rstancel, scorneli, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Spring Session 3.0.1 Doc Type: ---
Doc Text:
A flaw was found in Spring Session. If using HeaderHttpSessionIdResolver, the session id can be logged to the standard output stream. This may log sensitive information and could be used by an attacker for session hijacking.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-30 23:12:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2186656    

Description Patrick Del Bello 2023-05-04 19:07:04 UTC 
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using HeaderHttpSessionIdResolver.

https://spring.io/security/cve-2023-20866
Comment 1 Product Security DevOps Team 2023-05-30 23:12:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-20866