A vulnerability, which was classified as problematic, has been found in VMware Spring Security up to 5.7.10/5.8.6/6.0.6/6.1.3 on Critical. Affected by this issue is some unknown processing of the file spring-security.xsd. The manipulation with an unknown input leads to a permission assignment vulnerability. Using CWE to declare the problem leads to CWE-732. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. Impacted is integrity, and availability. CVE summarizes:

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

The weakness was disclosed 02/06/2024. The advisory is available at spring.io. This vulnerability is handled as CVE-2023-34042 since 05/25/2023. Technical details are known, but there is no available exploit.

Upgrading to version 5.7.11, 5.8.7, 6.0.7 or 6.1.4 eliminates this vulnerability.

Productinfo

Vendor

• VMware

Name

• Spring Security

Version

• 5.7.0
• 5.7.1
• 5.7.2
• 5.7.3
• 5.7.4
• 5.7.5
• 5.7.6
• 5.7.7
• 5.7.8
• 5.7.9
• 5.7.10
• 5.8.0
• 5.8.1
• 5.8.2
• 5.8.3
• 5.8.4
• 5.8.5
• 5.8.6
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3

License

• commercial

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion