Incorrect Permission Assignment for Critical Resource Affecting org.springframework.security:spring-security-config package, versions [5.7.9,5.7.11)[5.8.4,5.8.7)[6.0.4,6.0.7)[6.1.1,6.1.4)

The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities.

A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

The vulnerable system can be exploited without interaction from any user.

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

There is no loss of confidentiality within the impacted component.

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

There is no impact to availability within the impacted component.