SpringSec 5.7.8+ Logout Not Clearing Security Context (CVE-2023-20862)
CVE-2023-20862 Published on April 19, 2023
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Vulnerability Analysis
CVE-2023-20862 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an Insufficient Cleanup Vulnerability?
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
CVE-2023-20862 has been classified to as an Insufficient Cleanup vulnerability or weakness.
Products Associated with CVE-2023-20862
stack.watch emails you whenever new vulnerabilities are published in VMware Spring Security or NetApp Active Iq Unified Manager. Just hit a watch button to start following.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.