Bug 2227788 (CVE-2023-20862)
Summary: | CVE-2023-20862 spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Sayan Biswas <sabiswas> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alampare, alazarot, anstephe, apjagtap, asatyam, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dfreiber, dhanak, diagrawa, dkreling, dosoudil, drichtar, ellin, emingora, fjuma, fmongiar, gjospin, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jburrell, jmartisk, jnethert, jpoth, jrokos, jross, kverlaen, lbacciot, lgao, lthon, max.andersen, mizdebsk, mnovotny, mosmerov, msochure, mstefank, msvehla, nboldt, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rkieley, rogbas, rowaters, rruss, rstancel, rsvoboda, sbiarozk, scorneli, sdouglas, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | spring-security 5.7.8, spring-security 5.8.3, spring-security 6.0.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Spring Security. In affected versions of Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2227790 | ||
Bug Blocks: | 2227792 |
Description
Avinash Hanwate
2023-07-31 13:47:01 UTC
Created log4j tracking bugs for this issue: Affects: fedora-all [bug 2227790] This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778 |