Vulnerability Description
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Security | >= 5.8.4, < 5.8.7 |
Related Weaknesses (CWE)
References
- https://spring.io/security/cve-2023-34042Vendor Advisory
- https://security.netapp.com/advisory/ntap-20241129-0010/
- https://spring.io/security/cve-2023-34042Vendor Advisory
FAQ
What is CVE-2023-34042?
CVE-2023-34042 is a vulnerability with a CVSS score of 4.1 (MEDIUM). The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there...
How severe is CVE-2023-34042?
CVE-2023-34042 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34042?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security.