Skip to main content

Incomplete Cleanup

CVE-2023-20862

Severity High
Score 9.8/10

Summary

In Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the "HttpSessionSecurityContextRepository". This vulnerability can keep users authenticated even after they performed logout. This vulnerability affects "org.springframework.security:spring-security-web" and "org.springframework.security:spring-security-config" packages versions 5.7.0 through 5.7.7, 5.8.0 through 5.8.2, and 6.0.0 through 6.0.2. Users of affected versions should upgrade to 5.7.8, 5.8.3, or 6.0.3.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-459 - Incomplete Cleanup

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

Advisory Timeline

  • Published