CVE-2023-20862

Vulnerability

Details

In Spring Security versions 5.7.x prior to 5.7.8, 5.8.x prior to 5.8.3, and 6.0.x prior to 6.0.3, the logout support does not properly clean the security context when using serialized versions (e.g., Spring Session). Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This flaw can cause users to remain authenticated even after they have performed a logout [1][3].

Exploitation

Conditions

The vulnerability is exploitable when an application uses SecurityContextHolderFilter or requireExplicitSave(true) together with Spring Security's logout support and serialized sessions (e.g., Spring Session) with invalidateHttpSession(false). It also affects applications that manually save an empty security context into the HttpSessionSecurityContextRepository or use a custom SecurityContextRepository that does not rely on the HttpSession. Applications using in-memory sessions or the deprecated SecurityContextPersistenceFilter are not affected [3].

Impact

An attacker who can trigger or observe the logout process may exploit this to maintain unintended authenticated access. The persisted authentication can lead to session hijacking, privilege escalation, or unauthorized access to protected resources, as the user's session remains valid even after the intended logout [1][3].

Mitigation

Users of affected versions should upgrade to Spring Security 5.7.8, 5.8.3, or 6.0.3, depending on their version line. No other workarounds are available. The issue was reported by Daniel Furtlehner from Porsche Informatik and is fixed in the mentioned releases [3].