Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA016F58B9D42EC70F339D9A0CD27C00472AA24B3C3ADFE5346D572AA1DF16DD3
HistoryDec 01, 2023 - 7:19 p.m.

Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2023-34042 used in IBM Maximo Application Suite - Monitor Component

2023-12-0119:19:19
www.ibm.com
16
ibm maximo monitor component
vmware tanzu spring security
cve-2023-34042
security restriction bypass
fixpack 8.11.1
fixpack 8.10.6
catalog update

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

0

Percentile

5.1%

JSON

Summary

IBM Maximo Application Suite - Monitor Component uses VMware Tanzu Spring Security, which is vulnerable to CVE-2023-34042. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-34042
**DESCRIPTION:**VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect permission assignment for spring-security.xsd file inside the spring-security-config jar. By sending a specially crafted request, an attacker could exploit this vulnerability to write the spring-security.xsd file.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267747 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Maximo Application Suite - Monitor Component 8.11
IBM Maximo Application Suite - Monitor Component 8.10

Remediation/Fixes

Affected Product(s) Fixpack Version(s)
IBM Maximo Application Suite - Monitor Component 8.11.1 or latest (available from the Catalog under Update Available)
IBM Maximo Application Suite - Monitor Component 8.10.6 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmaximo_application_suiteMatch8.11
OR
ibmmaximo_application_suiteMatch8.10
VendorProductVersionCPE
ibmmaximo_application_suite8.11cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:*
ibmmaximo_application_suite8.10cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:*

Related

ibm 9
veracode 1
nvd 1
osv 2
redhatcve 1
prion 1
cvelist 1
github 1
cve 1
vulnrichment 1
ibm
ibm
Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining CVE-2023-34042
2023-12-15 14:52:02
Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
2024-04-17 16:37:01
Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
2024-04-17 16:35:05
veracode
veracode
Incorrect File Permission
2024-02-07 07:52:57
nvd
nvd
CVE-2023-34042
2024-02-05 22:15:55
osv
osv
CVE-2023-34042
2024-02-05 22:15:55
Spring Security's spring-security.xsd file is world writable
2024-02-06 00:30:25
redhatcve
redhatcve
CVE-2023-34042
2024-02-06 05:30:49
prion
prion
Design/Logic Flaw
2024-02-05 22:15:00
cvelist
cvelist
CVE-2023-34042
2024-02-05 22:00:01
github
github
Spring Security's spring-security.xsd file is world writable
2024-02-06 00:30:25
cve
cve
CVE-2023-34042
2024-02-05 22:15:55
vulnrichment
vulnrichment
CVE-2023-34042
2024-02-05 22:00:01

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

0

Percentile

5.1%

JSON
Related for A016F58B9D42EC70F339D9A0CD27C00472AA24B3C3ADFE5346D572AA1DF16DD3
ibm9veracode1nvd1osv2redhatcve1prion1cvelist1github1cve1vulnrichment1