SCA: security update for org.springframework.security:spring-security-core (GHSA-x873-6rgc-94jc)

medium Tenable Cloud Security Plugin ID 421714

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior
to 6.0.3, the logout support does not properly clean the security context if using serialized versions.
Additionally, it is not possible to explicitly save an empty security context to the
HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they
performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should
upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
(CVE-2023-20862)

See Also

https://github.com/advisories/GHSA-x873-6rgc-94jc

Plugin Details

Severity: Medium

ID: 421714

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 1/28/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.6

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2023-20862

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/19/2023

Vulnerability Publication Date: 4/19/2023

Reference Information

CVE: CVE-2023-20862

cwe: CWE-459