CVE-2023-20862

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.7.x through 5.7.7 Spring Security versions 5.8.x through 5.8.2 Spring Security versions 6.0.x through 6.0.2

Description The issue is related to the logout support not properly cleaning the security context if using serialized versions, and it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This can keep users authenticated even after they performed logout. The vulnerability is associated with incomplete cleanup of temporary or auxiliary resources, allowing a remote attacker to access confidential data or cause a denial of service.

Recommendations For Spring Security versions 5.7.x, upgrade to 5.7.8. For Spring Security versions 5.8.x, upgrade to 5.8.3. For Spring Security versions 6.0.x, upgrade to 6.0.3.