spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout

A flaw was found in Spring Security. In affected versions of Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. Th...

Insecure Session Management

infinispan spring-core contains insecure session management. In AbstractInfinispanSessionRepository.java, when getId returns a different value from getOriginalId, the original session is not deleted. An attacker can reuse the original ID to gain access to the application as the user...