CVE-2023-34042
Last modified
CVE-2023-34042 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue. . EPSS estimates a 0.22% chance of exploitation in the next 30 days.
Description
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | >= 5.8.4, < 5.8.7 |
| Vmware | Spring Security | >= 6.0.4, < 6.0.7 |
| Vmware | Spring Security | >= 6.1.1, < 6.1.4 |
| Vmware | Spring Security | 5.7.9 |
| Vmware | Spring Security | 5.7.10 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-34042?
How severe is CVE-2023-34042?
How do I fix CVE-2023-34042?
Are you affected by CVE-2023-34042?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST