CVE-2023-34042 — Spring Security's spring-security.xsd file is world writable

Description

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

How to fix CVE-2023-34042

To remediate CVE-2023-34042, upgrade the affected package to a fixed version below.

—upgrade to 6.1.4 or later

Is CVE-2023-34042 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.1.1, < 6.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-34042
PATCHgithub.com/spring-projects/spring-security
WEBgithub.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac
WEBsecurity.netapp.com/advisory/ntap-20241129-0010