Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-34042

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Published

2024-02-05T22:15:55.210

Last Modified

2025-06-03T19:15:32.450

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.1 (MEDIUM)

Weaknesses

Type: Primary
CWE-732
Type: Secondary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	vmware	spring_security	< 5.8.7	Yes
Application	vmware	spring_security	< 6.0.7	Yes
Application	vmware	spring_security	< 6.1.4	Yes
Application	vmware	spring_security	5.7.9	Yes
Application	vmware	spring_security	5.7.10	Yes

References

https://spring.io/security/cve-2023-34042 Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20241129-0010/ (af854a3a-2127-422b-91ae-364da2661108)
https://spring.io/security/cve-2023-34042 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)