2227788 – (CVE-2023-20862) CVE-2023-20862 spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout

Bug 2227788 (CVE-2023-20862) - CVE-2023-20862 spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout

Summary: CVE-2023-20862 spring-security: Empty SecurityContext Is Not Properly Saved U...

Keywords:
Status:	NEW
Alias:	CVE-2023-20862
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Sayan Biswas
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2227790
Blocks:	2227792
TreeView+	depends on / blocked

Reported:	2023-07-31 13:47 UTC by Avinash Hanwate
Modified:	2024-05-03 18:49 UTC (History)
CC List:	80 users (show)
Fixed In Version:	spring-security 5.7.8, spring-security 5.8.3, spring-security 6.0.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Spring Security. In affected versions of Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0778	0	None	None	None	2024-02-12 10:37:10 UTC

Description Avinash Hanwate 2023-07-31 13:47:01 UTC

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

https://spring.io/security/cve-2023-20862
https://security.netapp.com/advisory/ntap-20230526-0002/

Comment 1 Avinash Hanwate 2023-07-31 14:02:17 UTC

Created log4j tracking bugs for this issue:

Affects: fedora-all [bug 2227790]

Comment 8 errata-xmlrpc 2024-02-12 10:37:06 UTC

This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alampare
alazarot
anstephe
apjagtap
asatyam
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dfreiber
dhanak
diagrawa
dkreling
dosoudil
drichtar
ellin
emingora
fjuma
fmongiar
gjospin
gmalinko
gsmet
ibek
ivassile
iweiss
janstey
jburrell
jmartisk
jnethert
jpoth
jrokos
jross
kverlaen
lbacciot
lgao
lthon
max.andersen
mizdebsk
mnovotny
mosmerov
msochure
mstefank
msvehla
nboldt
nwallace
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
pskopek
rguimara
rkieley
rogbas
rowaters
rruss
rstancel
rsvoboda
sbiarozk
scorneli
sdouglas
smaestri
sthorger
tcunning
tom.jenkinson
tqvarnst
vkumar
yfang