GHSA-X873-6RGC-94JC Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

cc.chensoul.nacos:nacos-distribution (=2.5.2), cn.sparrowmini:sparrow-org-service (=0.0.1) +625 more potentially affected by CVE-2023-20862 via org.springframework.security:spring-security-core (>=5.8.0 <=5.8.2)

org.springframework.security:spring-security-core MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.12.0, =5.12.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =2.6.0 and more Source cves: CVE-2023-20862 Source advisory: OSV:GHSA-X873-6RGC-94JC...

be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +810 more potentially affected by CVE-2023-20862 via org.springframework.security:spring-security-core (>=6.0.0 <=6.0.2)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.4.2 and more Source cves: CVE-2023-20862 Source advisory: OSV:GHSA-X873-6RGC-94JC...

Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

Design/Logic Flaw

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

Spring Framework 安全漏洞

Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications . A security vulnerability exists in Spring Security 5.7.x series prior to 5.7.8, 5.8.x series prior to 5.8.3, and 6.0.x series prior...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In CVE-2023-20862, the Spring Security logout flow fails to properly clean the security context when serialized contexts are used, and saving an empty security context to HttpSessionSecurityContextRepository is blocked. Affected versions are Spring Security 5.7.x prior to 5.7.8, 5.8.x prior to 5....

SUSE CVE-2019-3773

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

CVE-2023-20863

A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server...

Denial Of Service (DoS)

Spring Expression Language is vulnerable to Denial Of Service DoS. The vulnerability exists in the doParseExpression function of InternalSpelExpressionParser.java because the SpEL expression length is not restricted which allows an attacker to cause an application crash...

This Week in Spring - April 18th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I just returned from Western Europe for Devoxx FR Paris and Kotlin Conf Amsterdam. I went home, saw my family, did some laundry, and then turned right back around to head to Chicago, Illinois, for a special joint...

PT-2023-9021 · Spring · Spring Security

Name of the Vulnerable Software and Affected Versions: Spring Security versions 5.7.x through 5.7.7 Spring Security versions 5.8.x through 5.8.2 Spring Security versions 6.0.x through 6.0.2 Description: The issue is related to the logout support not properly cleaning the security context if using...

Exploit for Code Injection in Vmware Spring_Cloud_Function

Spring Cloud Function Vulnerability CVE-2022-22963 RCE This...

VMware Spring Framework < 5.2.24, 5.3.x < 5.3.27, 6.0.x < 6.0.8 DoS Vulnerability - Linux

The VMware Spring Framework is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

VMware Spring Framework < 5.2.24, 5.3.x < 5.3.27, 6.0.x < 6.0.8 DoS Vulnerability - Windows

The VMware Spring Framework is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

GHSA-WXQC-PXW9-G2P8 Spring Framework vulnerable to denial of service

In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language SpEL expression that may cause a denial-of-service DoS condition...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-application (>=1.1.0 <=1.2.0) +20157 more potentially affected by CVE-2023-20863 via org.springframework:spring-expression (>=5.3.0 <=5.3.26)

org.springframework:spring-expression MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2023-20863 Source advisory: OSV:GHSA-WXQC-PXW9-G2P8...