CVE-2023-34042: Spring Security's spring-security.xsd file is world writable

February 6, 2024 (updated November 29, 2024)

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

References

github.com/advisories/GHSA-9gp8-6cg8-7h34
github.com/spring-projects/spring-security
github.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac
nvd.nist.gov/vuln/detail/CVE-2023-34042
security.netapp.com/advisory/ntap-20241129-0010
spring.io/security/cve-2023-34042

Code Behaviors & Features

Detect and mitigate CVE-2023-34042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →