GHSA-x873-6rgc-94jc

Suggest an improvement
Source
https://github.com/advisories/GHSA-x873-6rgc-94jc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-x873-6rgc-94jc/GHSA-x873-6rgc-94jc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x873-6rgc-94jc
Aliases
Published
2023-04-19T21:30:26Z
Modified
2024-02-14T05:31:38.580621Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Spring Security logout not clearing security context
Details

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.

References

Affected packages

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.7.8

Affected versions

5.*

5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
5.8.3

Affected versions

5.*

5.8.0
5.8.1
5.8.2

Maven / org.springframework.security:spring-security-core

Package

Name
org.springframework.security:spring-security-core
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.3

Affected versions

6.*

6.0.0
6.0.1
6.0.2