GHSA-9gp8-6cg8-7h34

Source

https://github.com/advisories/GHSA-9gp8-6cg8-7h34

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-9gp8-6cg8-7h34/GHSA-9gp8-6cg8-7h34.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9gp8-6cg8-7h34

Aliases

CVE-2023-34042

Published

2024-02-06T00:30:25Z

Modified

2024-11-29T12:46:28.427269Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Spring Security's spring-security.xsd file is world writable

Details

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Database specific

{
    "nvd_published_at": "2024-02-05T22:15:55Z",
    "cwe_ids": [
        "CWE-732"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-06T15:52:33Z"
}

References

Affected packages

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.1

Fixed

6.1.4

Affected versions

6.*

6.1.1

6.1.2

6.1.3

Database specific

{
    "last_known_affected_version_range": "<= 6.1.3"
}

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.4

Fixed

6.0.7

Affected versions

6.*

6.0.4

6.0.5

6.0.6

Database specific

{
    "last_known_affected_version_range": "<= 6.0.6"
}

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.8.4

Fixed

5.8.7

Affected versions

5.*

5.8.4

5.8.5

5.8.6

Database specific

{
    "last_known_affected_version_range": "<= 5.8.6"
}

Maven / org.springframework.security:spring-security-config

Package

Name: org.springframework.security:spring-security-config; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.7.9

Fixed

5.7.11

Affected versions

5.*

5.7.9

5.7.10

Database specific

{
    "last_known_affected_version_range": "<= 5.7.10"
}