By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2023-20862

Improper Session Handling
Affects
Spring Security
>=5.7.0 <5.7.8, >=5.8.0 <5.8.3, >=6.0.0 <6.0.3
in
Spring
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

Improper Session Handling or Improper Session Management vulnerability (CVE-2023-20865) has been found in Spring Security-based applications. It deals with an issue where the SecurityContext is not properly cleared or saved upon logout.

Per OWASP: Improper Session Handling occurs when mobile applications fail to securely manage session tokens, potentially allowing attackers to impersonate users by exploiting session data. Common issues include not invalidating sessions properly on the backend, insufficient timeout protections, or failing to reset session cookies when user roles change. These weaknesses can lead to unauthorized access, fraud, or data theft, making session management a critical part of security mobile applications. 

This issue affects multiple versions.

Details

Module Info

Vulnerability Info

The Improper Session Handling vulnerability specifically impacts the handling of the SecurityContext during the logout process in Spring Security, leading to potential issues such as unauthorized access or session leakage if the SecurityContext is not properly cleared.

Credit

  • This issue was identified and reported by Daniel Furtlehner from Porsche Informatik.


Mitigation

Users of the affected versions should apply one of the following mitigations:

  • 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3. No other steps are necessary.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2023-20862
PROJECT Affected
Spring Security
Versions Affected
>=5.7.0 <5.7.8, >=5.8.0 <5.8.3, >=6.0.0 <6.0.3
Published date
April 19, 2023
≈ Fix date
April 19, 2023
Fixed in
NES for Spring
Severity
High
Category
Improper Session Handling
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.