CVE-2023-20862: 
Java vulnerability analysis and mitigation

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, a vulnerability was identified where the logout support does not properly clean the security context when using serialized versions. Additionally, the HttpSessionSecurityContextRepository cannot explicitly save an empty security context. This vulnerability was discovered by Daniel Furtlehner from Porsche Informatik and was publicly disclosed on April 17, 2023 (Spring Security).

The vulnerability occurs specifically when using the SecurityContextHolderFilter or requireExplicitSave(true) with Spring Security's logout support in combination with serialized sessions and invalidateHttpSession(false), when logging users out manually by saving an empty SecurityContext into the HttpSessionSecurityContextRepository, or when using a custom SecurityContextRepository that does not rely on the HttpSession. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

When successfully exploited, this vulnerability can keep users authenticated even after they have performed a logout operation. This could lead to unauthorized access to user accounts, potentially resulting in disclosure of sensitive information, modification of data, or Denial of Service (DoS) (NetApp Advisory).

Users of affected versions should upgrade to the following fixed versions: 5.7.x users should upgrade to 5.7.8, 5.8.x users should upgrade to 5.8.3, and 6.0.x users should upgrade to 6.0.3. No other mitigation steps are necessary. These security updates have been incorporated into Spring Boot 3.0.6 and 2.7.11 (Spring Blog).