Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
Description
Spring Framework 5.3.26 and earlier contain a Spring Expression Language vulnerability described in CVE-2023-20863.
Spring Security 5.8.2 and earlier contain a Security Context logout vulnerability described in CVE-2023-20862.
Spring Framework 5.3.27 resolves CVE-2023-20863 and Spring Security 5.8.3 resolves CVE-2023-20862.
Spring Boot 2.7.11 incorporates these upgrades and should be updated for Registry.
Framework components do not use Spring Expression Language and do not use HTTP sessions for persisting Security Context information.
Attachments
Issue Links
- links to