CVE-2023-34042

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-34042

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-34042.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-34042

Aliases

GHSA-9gp8-6cg8-7h34

Published

2024-02-05T22:15:55Z

Modified

2024-10-12T10:57:07.815043Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

References

https://spring.io/security/cve-2023-34042

Affected packages

Git / github.com/spring-projects/spring-security

Affected ranges

Type: GIT
Repo: https://github.com/spring-projects/spring-security
Events: Introduced

108075763b506ca0de05d6295e7ad6f5e5f2a601

Fixed

564a022ab6ad180daab86a68fcfa0a972ae132ef

Affected versions

5.*

5.6.11

5.6.12

5.7.10

5.7.9

5.8.4

5.8.5

5.8.6