CVE-2023-20862 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=5.7.0 <5.7.8 || >=5.8.0 <5.8.3 || >=6.0.0 <6.0.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00372 pctl0.5814

Details

Spring Security logout not clearing security context In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

Metadata

Created: 2023-04-19T21:30:26Z
Modified: 2023-08-23T22:15:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-x873-6rgc-94jc/GHSA-x873-6rgc-94jc.json
CWE IDs: ["CWE-459"]
Alternative ID: GHSA-x873-6rgc-94jc
Finding: F076
Auto approve: 1