Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-20862

Опубликовано: 19 апр. 2023
Источник: redhat
CVSS3: 6.3
EPSS Низкий

Описание

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

A flaw was found in Spring Security. In affected versions of Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2spring-securityNot affected
Red Hat build of Apache Camel for Spring Boot 3spring-securityNot affected
Red Hat build of Quarkusio.quarkus/quarkus-spring-securityWill not fix
Red Hat Data Grid 8spring-securityNot affected
Red Hat Decision Manager 7spring-securityOut of support scope
Red Hat Enterprise Linux 8log4j:2/log4jNot affected
Red Hat Enterprise Linux 9log4jNot affected
Red Hat Fuse 7spring-securityOut of support scope
Red Hat Integration Camel Quarkus 2spring-securityWill not fix
Red Hat JBoss A-MQ 6spring-securityOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-459
https://bugzilla.redhat.com/show_bug.cgi?id=2227788spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout

EPSS

Процентиль: 58%
0.00372
Низкий

6.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-20862

CVSS3: 6.3
nvd
почти 3 года назад

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

github логотип

GHSA-x873-6rgc-94jc

CVSS3: 6.3
github
почти 3 года назад

Spring Security logout not clearing security context

fstec логотип

BDU:2024-03033

CVSS3: 9.8
fstec
почти 2 года назад

Уязвимость Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, связанная с неполной очисткой временных или вспомогательных ресурсов, позволяющая нарушителю получить доступ к конфиденциальным данным или вызвать отказ в обслуживании

EPSS

Процентиль: 58%
0.00372
Низкий

6.3 Medium

CVSS3