CVE-2023-20862

CVE Database · CVE-2023-20862

CVE-2023-20862

· MEDIUMModified

CVSS v3.1

6.3

EPSS

0.65%

Published

Apr 19, 2023

Modified

Feb 5, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Weaknesses (CWE)

CWE-459CWE-459

Affected Products (6)

vmware · spring_security (up to 5.7.8)vulnerable

vmware · spring_security (up to 5.8.3)vulnerable

vmware · spring_security (up to 6.0.3)vulnerable

netapp · active_iq_unified_managervulnerable

References (4)

https://security.netapp.com/advisory/ntap-20230526-0002/

Third Party Advisory