Vulnerability Description
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | >= 5.7.0, < 5.7.8 |
| Netapp | Active Iq Unified Manager | - |
Related Weaknesses (CWE)
References
- https://security.netapp.com/advisory/ntap-20230526-0002/Third Party Advisory
- https://spring.io/security/cve-2023-20862Vendor Advisory
- https://security.netapp.com/advisory/ntap-20230526-0002/Third Party Advisory
- https://spring.io/security/cve-2023-20862Vendor Advisory
FAQ
What is CVE-2023-20862?
CVE-2023-20862 is a vulnerability with a CVSS score of 6.3 (MEDIUM). In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized...
How severe is CVE-2023-20862?
CVE-2023-20862 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-20862?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security, Netapp Active Iq Unified Manager.