In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
References
Link | Resource |
---|---|
https://security.netapp.com/advisory/ntap-20230526-0002/ | Third Party Advisory |
https://spring.io/security/cve-2023-20862 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
23 Aug 2023, 18:34
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp
Netapp active Iq Unified Manager |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230526-0002/ - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.3 |
CPE | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* |
26 May 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2023-04-19 20:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-20862
Mitre link : CVE-2023-20862
CVE.ORG link : CVE-2023-20862
JSON object : View
Products Affected
vmware
- spring_security
netapp
- active_iq_unified_manager
CWE
CWE-459
Incomplete Cleanup