CVE-2023-20862
First published: Wed Apr 19 2023(Updated: )
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Credit: security@vmware.com security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.springframework.security:spring-security-core | >=6.0.0<6.0.3 | 6.0.3 |
| maven/org.springframework.security:spring-security-core | >=5.8.0<5.8.3 | 5.8.3 |
| maven/org.springframework.security:spring-security-core | >=5.7.0<5.7.8 | 5.7.8 |
| redhat/spring-security | <5.7.8 | 5.7.8 |
| redhat/spring-security | <5.8.3 | 5.8.3 |
| redhat/spring-security | <6.0.3 | 6.0.3 |
| Vmware Spring Security | >=5.7.0<5.7.8 | |
| Vmware Spring Security | >=5.8.0<5.8.3 | |
| Vmware Spring Security | >=6.0.0<6.0.3 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security.netapp.com/advisory/ntap-20230526-0002/
- https://spring.io/security/cve-2023-20862
- https://nvd.nist.gov/vuln/detail/CVE-2023-20862
- https://github.com/advisories/GHSA-x873-6rgc-94jc (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2227790
- https://access.redhat.com/errata/RHSA-2024:0778
- https://bugzilla.redhat.com/show_bug.cgi?id=2227788
Frequently Asked Questions
What is CVE-2023-20862?
CVE-2023-20862 is a vulnerability in Spring Security versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3 that affects the logout support feature.
How does CVE-2023-20862 impact Spring Security?
CVE-2023-20862 impacts Spring Security by not properly cleaning the security context during logout if using serialized versions, and by not allowing saving an empty security context to the Http.
What is the severity of CVE-2023-20862?
CVE-2023-20862 has a severity keyword of 'medium' and a CVSS severity value of 6.3.
How can I fix CVE-2023-20862?
To fix CVE-2023-20862, you should upgrade to Spring Security versions 5.7.8, 5.8.3, or 6.0.3.
Where can I find more information about CVE-2023-20862?
You can find more information about CVE-2023-20862 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-20862), [Spring Security](https://spring.io/security/cve-2023-20862), [Netapp Advisory](https://security.netapp.com/advisory/ntap-20230526-0002/).
- collector/github-advisory-latest
- alias/GHSA-x873-6rgc-94jc
- alias/CVE-2023-20862
- collector/github-advisory
- agent/type
- agent/first-publish-date
- agent/references
- agent/weakness
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/maven
- vendor/vmware
- canonical/vmware spring security
- version/vmware spring security/5.7.0
- version/vmware spring security/5.8.0
- version/vmware spring security/6.0.0
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- package-manager/redhat