CVE-2023-20862: High-severity security vulnerability affecting Spring Framework

Spring Security is an essential part of many Java applications, providing a robust and customizable framework for authentication and authorization. However, recently, a high-severity security vulnerability has been discovered, affecting multiple versions of the framework.

CVE-2023-20862: Empty SecurityContext Is Not Properly Saved Upon Logout

CVE-2023-20862 is a security vulnerability affecting Spring Security, specifically versions 5.7.x prior to 5.7.8, 5.8.x prior to 5.8.3, and 6.0.x prior to 6.0.3. The issue arises when the logout support does not properly clean the security context if using serialized sessions. Furthermore, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This can result in users remaining authenticated even after they have logged out. This vulnerability, CVE-2023-20862, was identified and responsibly reported by Daniel Furtlehner from Porsche Informatik.

How to Determine if Your Application is Vulnerable

Your application may be vulnerable to CVE-2023-20862 if any of the following conditions are met:

1. You are using the SecurityContextHolderFilter or requireExplicitSave(true) and are using Spring Security’s logout support with serialized sessions (e.g., Spring Session) and invalidateHttpSession(false).
2. You are logging users out manually by saving an empty SecurityContext into the HttpSessionSecurityContextRepository.
3. You have a custom SecurityContextRepository that does not rely on the HttpSession.

However, your application is not vulnerable if any of the following are true:

1. You are still using the deprecated SecurityContextPersistenceFilter or requireExplicitSave(false).
2. You are using Spring Security’s logout support with in-memory sessions.
3. You are not saving an empty SecurityContext into the HttpSessionSecurityContextRepository.

Affected Products and Versions

The following Spring Security versions are affected by this vulnerability:

1. 6.0.0 to 6.0.2
2. 5.8.0 to 5.8.2
3. 5.7.0 to 5.7.7

Mitigating the Vulnerability

If your application is using one of the affected Spring Security versions, you should take the following mitigation steps:

1. For 5.7.x users, upgrade to version 5.7.8.
2. For 5.8.x users, upgrade to version 5.8.3.
3. For 6.0.x users, upgrade to version 6.0.3.

Security vulnerabilities can have serious consequences for applications and their users. By upgrading to the latest, secure version of Spring Security, you can help ensure that your application and its users are safe from this high-severity vulnerability.