Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

Published

2023-04-19T20:15:10.910

Last Modified

2025-02-05T16:15:33.953

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-459
Type: Secondary
CWE-459

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_security	< 5.7.8	Yes
Application	vmware	spring_security	< 5.8.3	Yes
Application	vmware	spring_security	< 6.0.3	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes

References

https://security.netapp.com/advisory/ntap-20230526-0002/ Third Party Advisory ([email protected])
https://spring.io/security/cve-2023-20862 Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230526-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://spring.io/security/cve-2023-20862 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)