GHSA-9gp8-6cg8-7h34

Suggest an improvement
Source
https://github.com/advisories/GHSA-9gp8-6cg8-7h34
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-9gp8-6cg8-7h34/GHSA-9gp8-6cg8-7h34.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9gp8-6cg8-7h34
Aliases
Published
2024-02-06T00:30:25Z
Modified
2024-11-29T12:46:15.782659Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Spring Security's spring-security.xsd file is world writable
Details

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Database specific
{
    "nvd_published_at": "2024-02-05T22:15:55Z",
    "cwe_ids": [
        "CWE-732"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-06T15:52:33Z"
}
References

Affected packages

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.1
Fixed
6.1.4

Affected versions

6.*

6.1.1
6.1.2
6.1.3

Database specific

{
    "last_known_affected_version_range": "<= 6.1.3"
}

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.4
Fixed
6.0.7

Affected versions

6.*

6.0.4
6.0.5
6.0.6

Database specific

{
    "last_known_affected_version_range": "<= 6.0.6"
}

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.4
Fixed
5.8.7

Affected versions

5.*

5.8.4
5.8.5
5.8.6

Database specific

{
    "last_known_affected_version_range": "<= 5.8.6"
}

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.9
Fixed
5.7.11

Affected versions

5.*

5.7.9
5.7.10

Database specific

{
    "last_known_affected_version_range": "<= 5.7.10"
}