CVE-2023-34042

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-34042

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34042.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-34042

Aliases

GHSA-9gp8-6cg8-7h34

Published

2024-02-05T22:15:55.210Z

Modified

2026-04-10T04:58:53.072526Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

References

Affected packages

Git / github.com/spring-projects/spring-security

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-security

Events

Introduced

108075763b506ca0de05d6295e7ad6f5e5f2a601

Fixed

564a022ab6ad180daab86a68fcfa0a972ae132ef

Introduced

87e2071b17483722fe75d716aa7075335f531dfc

Fixed

7c17cfae367a1f4ac375a85f599abb3dff12c9f9

Introduced

31d4ce8191777ce8412ef3a9c2e4188b250d378b

Fixed

b220d9aa875eb2933a59b1c2d9741adfa99b819b

Introduced

Last affected

6d3f1699c0d7fb0da100d9b6c68322b2fe0e0b49

Introduced

Last affected

486c5118d218c4b94548e5ed8881d43089d1552d

Database specific

{
    "versions": [
        {
            "introduced": "5.8.4"
        },
        {
            "fixed": "5.8.7"
        },
        {
            "introduced": "6.0.4"
        },
        {
            "fixed": "6.0.7"
        },
        {
            "introduced": "6.1.1"
        },
        {
            "fixed": "6.1.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.7.9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.7.10"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.2

1.0.3

1.0.4

1.0.5

2.*

2.5.0.M1

3.*

3.0.0.M2

3.0.0.RC2

3.0.1.RELEASE

3.0.2.RELEASE

3.1.0.M1

3.1.0.M2

3.1.0.RC1

3.1.0.RC2

3.1.0.RC3

3.1.0.RELEASE

3.1.1.RELEASE

3.1.2.RELEASE

3.1.3.RELEASE

3.2.0.M2

4.*

4.1.0.RC1

4.1.0.RC2

4.1.0.RELEASE

4.1.1.RELEASE

4.2.0.M1

4.2.0.RC1

4.2.0.RELEASE

4.2.1.RELEASE

4.2.2.RELEASE

5.*

5.0.0.M1

5.0.0.M2

5.0.0.M3

5.0.0.M4

5.0.0.M5

5.0.0.RC1

5.0.0.RELEASE

5.0.1.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.1.0.M1

5.1.0.M2

5.1.0.RC2

5.1.0.RELEASE

5.1.1.RELEASE

5.2.0.M1

5.2.0.M2

5.2.0.M3

5.2.0.M4

5.2.0.RC1

5.2.0.RELEASE

5.3.0.M1

5.3.0.RC1

5.3.0.RELEASE

5.4.0

5.4.0-M1

5.4.0-M2

5.4.0-RC1

5.5.0

5.5.0-M1

5.5.0-M2

5.5.0-M3

5.5.0-RC1

5.5.0-RC2

5.6.0

5.6.0-M1

5.6.0-M2

5.6.0-M3

5.6.0-RC1

5.7.0

5.7.0-M1

5.7.0-M2

5.7.0-M3

5.7.0-RC1

5.7.1

5.7.10

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.9

5.8.4

5.8.5

5.8.6

6.*

6.0.4

6.0.5

6.0.6

6.1.1

6.1.2

6.1.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34042.json"