What is the severity of CVE-2023-34042?

The severity of CVE-2023-34042 is currently not classified with known exploits but represents a risk due to incorrect file permissions.

How do I fix CVE-2023-34042?

To fix CVE-2023-34042, upgrade to org.springframework.security:spring-security-config version 5.7.11, 5.8.7, 6.0.7, or 6.1.4.

What is the impact of CVE-2023-34042?

The impact of CVE-2023-34042 is that the spring-security.xsd file is world writable, which poses a risk of unauthorized modifications.

Which versions of spring-security-config are affected by CVE-2023-34042?

Versions 5.7.9 to 5.7.10, 5.8.4 to 5.8.6, 6.0.4 to 6.0.6, and 6.1.1 to 6.1.3 of the spring-security-config package are affected by CVE-2023-34042.

Who is affected by CVE-2023-34042?

Users of the VMware Spring Security library with the specified vulnerable versions may be affected by CVE-2023-34042.

Vulnerability/
CVE-2023-34042

medium

5.5

CWE

732

5/2/2024

6/2/2024

29/11/2024

CVE-2023-34042

First published: Mon Feb 05 2024(Updated: )

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Credit: security@vmware.com security@vmware.com

Affected Software	Affected Version	How to fix
maven/org.springframework.security:spring-security-config	>=5.7.9<=5.7.10	5.7.11
maven/org.springframework.security:spring-security-config	>=5.8.4<=5.8.6	5.8.7
maven/org.springframework.security:spring-security-config	>=6.0.4<=6.0.6	6.0.7
maven/org.springframework.security:spring-security-config	>=6.1.1<=6.1.3	6.1.4
Spring Security	>=5.8.4<5.8.7
Spring Security	>=6.0.4<6.0.7
Spring Security	>=6.1.1<6.1.4
Spring Security	=5.7.9
Spring Security	=5.7.10

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-34042?
The severity of CVE-2023-34042 is currently not classified with known exploits but represents a risk due to incorrect file permissions.
How do I fix CVE-2023-34042?
To fix CVE-2023-34042, upgrade to org.springframework.security:spring-security-config version 5.7.11, 5.8.7, 6.0.7, or 6.1.4.
What is the impact of CVE-2023-34042?
The impact of CVE-2023-34042 is that the spring-security.xsd file is world writable, which poses a risk of unauthorized modifications.
Which versions of spring-security-config are affected by CVE-2023-34042?
Versions 5.7.9 to 5.7.10, 5.8.4 to 5.8.6, 6.0.4 to 6.0.6, and 6.1.1 to 6.1.3 of the spring-security-config package are affected by CVE-2023-34042.
Who is affected by CVE-2023-34042?
Users of the VMware Spring Security library with the specified vulnerable versions may be affected by CVE-2023-34042.

agent/type
agent/first-publish-date
agent/weakness
agent/description
agent/author
agent/severity
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-9gp8-6cg8-7h34
alias/CVE-2023-34042
agent/software-canonical-lookup
agent/last-modified-date
agent/references
agent/event
collector/github-advisory
agent/trending
agent/source
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/maven
vendor/vmware
canonical/spring security
version/spring security/5.8.4
version/spring security/6.0.4
version/spring security/6.1.1
version/spring security/5.7.9
version/spring security/5.7.10