<p>Upgrade <code>org.springframework.security:spring-security-config</code> to version 5.7.11, 5.8.7, 6.0.7, 6.1.4 or higher.</p>

Incorrect Permission Assignment for Critical Resource Affecting org.springframework.security:spring-security-config package, versions [5.7.9,5.7.11) [5.8.4,5.8.7) [6.0.4,6.0.7) [6.1.1,6.1.4)

Threat Intelligence

0.04% (6^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5905484
published 19 Sep 2023
disclosed 18 Sep 2023
credit Martin Holland

Report a new vulnerability Found a mistake?

Introduced: 18 Sep 2023

CVE-2023-34042 Open this link in a new tab CWE-732 Open this link in a new tab

How to fix?

Upgrade org.springframework.security:spring-security-config to version 5.7.11, 5.8.7, 6.0.7, 6.1.4 or higher.

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the spring-security.xsd file due to being world writable. An attacker with access to the file system could extract this file and modify it.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Local
Attack Complexity (AC)

High
Privileges Required (PR)

High
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

High
Availability (A)

None

Incorrect Permission Assignment for Critical Resource Affecting org.springframework.security:spring-security-config package, versions [5.7.9,5.7.11) [5.8.4,5.8.7) [6.0.4,6.0.7) [6.1.1,6.1.4)

Severity

CVSS assessment made by Snyk's Security Team