Lucene search

K
githubGitHub Advisory DatabaseGHSA-9GP8-6CG8-7H34
HistoryFeb 06, 2024 - 12:30 a.m.

Spring Security's spring-security.xsd file is world writable

2024-02-0600:30:25
CWE-732
GitHub Advisory Database
github.com
7
spring security
spring-security.xsd
world-writable
incorrect permission assignment
critical resource
exploit
update
latest version

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

0

Percentile

5.1%

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Affected configurations

Vulners
Node
org.springframework.security\Matchspring-security-bom
OR
org.springframework.security\Matchspring-security-bom
OR
org.springframework.security\Matchspring-security-bom
OR
org.springframework.security\Matchspring-security-bom

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

0

Percentile

5.1%