IBM7470DEF6EE00DD140C18A263D301787FE990734D57ACA08E9F22F45E0FE89B3CSecurity Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
5.1%
Summary
IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
Vulnerability Details
CVEID:CVE-2023-34042
**DESCRIPTION:**VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect permission assignment for spring-security.xsd file inside the spring-security-config jar. By sending a specially crafted request, an attacker could exploit this vulnerability to write the spring-security.xsd file.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267747 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Spectrum Symphony | IBM Spectrum Symphony 7.3.2 |
Remediation/Fixes
IBM strongly suggests the following remediation or fix:
Upgrade to the latest version of IBM Spectrum Symphony with security fix pack (IBM Spectrum Symphony 7.3.2 with Fix 601860).
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | spectrum_symphony | 7.3.2 | cpe:2.3:a:ibm:spectrum_symphony:7.3.2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
5.1%