CVE-2023-20862

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-20862
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-20862.json
Aliases
Published
2023-04-19T20:15:10Z
Modified
2023-11-29T09:35:39.291044Z
Details

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

References

Affected packages

Git / github.com/spring-projects/spring-security

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-security
Events
Introduced
10ee03c6638a07867bb08dca24dbbfd87c46a20a
Fixed
ff3c560c532e51fc6d8837e276fd424370db1608
Introduced
b873b244138eb7371e954cff9a2dcc791217ed5e
Introduced
3497b0ed68a2cc373d4105c66308dfe0dd624333

Affected versions

5.*

5.6.10
5.7.6
5.7.7
5.8.0
5.8.1
5.8.2

6.*

6.0.0
6.0.1
6.0.2