CVE-2023-20862

MEDIUM6.3EPSS 0.46%

Spring Security logout not clearing security context

發布日:2023/4/19修改日:2024/2/16

描述

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

受影響套件(1)

Maven/org.springframework.security:spring-security-core>= 5.7.0, < 5.7.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-20862
PATCHhttps://github.com/spring-projects/spring-security
WEBhttps://security.netapp.com/advisory/ntap-20230526-0002
WEBhttps://spring.io/security/cve-2023-20862