6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-20862

GHSA ID

GHSA-x873-6rgc-94jc

EPSS Score

0.5911%

CWE

CWE-459

Published

4/19/2023

Updated

11/8/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-20862

CVE-2023-20862: Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-20862

GHSA ID

GHSA-x873-6rgc-94jc

EPSS Score

0.5911%

CWE

CWE-459

Published

4/19/2023

Updated

11/8/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework.security:spring-security-core	maven	>= 5.7.0, < 5.7.8	5.7.8
org.springframework.security:spring-security-core	maven	>= 5.8.0, < 5.8.3	5.8.3
org.springframework.security:spring-security-core	maven	>= 6.0.0, < 6.0.3	6.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper cleanup of the security context during logout when using serialized sessions. The HttpSessionSecurityContextRepository's saveContext() method is explicitly called out in the advisory as the component where empty security contexts cannot be properly saved. This matches the CWE-459 (Incomplete Cleanup) classification, as the method fails to completely remove authentication artifacts from the session storage. The method's interaction with Spring Security's explicit save requirements (requireExplicitSave(true)) and serialized session management creates the vulnerability condition where old credentials persist post-logout.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Sprin* S**urity, v*rsions *.*.x prior to *.*.*, v*rsions *.*.x prior to *.*.*, *n* v*rsions *.*.x prior to *.*.*, t** lo*out support *o*s not prop*rly *l**n t** s**urity *ont*xt i* usin* s*ri*liz** v*rsions. ***ition*lly, it is not possi*l* to *xp

Reasoning

T** vuln*r**ility st*ms *rom improp*r *l**nup o* t** s**urity *ont*xt *urin* lo*out w**n usin* s*ri*liz** s*ssions. T** `*ttpS*ssionS**urity*ont*xtR*pository`'s `s*v**ont*xt()` m*t*o* is *xpli*itly **ll** out in t** **visory *s t** *ompon*nt w**r* *m

6.3

Basic Information

Concerned about an active attack path?

CVE-2023-20862: Spring Security logout not clearing security context

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI