Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC5BB668B9C9A18CA559066F6AD7EB77EF659F8D980A262D3632CCC446B9134CE
HistoryApr 17, 2024 - 4:35 p.m.

Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

2024-04-1716:35:05
www.ibm.com
18
ibm spectrum conductor
spring-security-config
incorrect permission assignment
critical resource
cve-2023-34042
vmware tanzu spring security
security restrictions
security patch
fix 601861.

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0

Percentile

5.1%

JSON

Summary

IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Vulnerability Details

CVEID:CVE-2023-34042
**DESCRIPTION:**VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect permission assignment for spring-security.xsd file inside the spring-security-config jar. By sending a specially crafted request, an attacker could exploit this vulnerability to write the spring-security.xsd file.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267747 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Conductor IBM Spectrum Conductor 2.5.1

Remediation/Fixes

IBM strongly suggests the following remediation or fix:

Upgrade to the latest versions of IBM Spectrum Conductor 2.5.1 with security patch (IBM Spectrum Conductor 2.5.1 with Fix 601861).

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmspectrum_controlMatch2.5.1
VendorProductVersionCPE
ibmspectrum_control2.5.1cpe:2.3:a:ibm:spectrum_control:2.5.1:*:*:*:*:*:*:*

Related

ibm 9
veracode 1
nvd 1
redhatcve 1
osv 2
prion 1
cvelist 1
github 1
cve 1
vulnrichment 1
ibm
ibm
Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining CVE-2023-34042
2023-12-15 14:52:02
Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2023-34042 used in IBM Maximo Application Suite - Monitor Component
2023-12-01 19:19:19
Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
2024-04-17 16:37:01
veracode
veracode
Incorrect File Permission
2024-02-07 07:52:57
nvd
nvd
CVE-2023-34042
2024-02-05 22:15:55
redhatcve
redhatcve
CVE-2023-34042
2024-02-06 05:30:49
osv
osv
Spring Security's spring-security.xsd file is world writable
2024-02-06 00:30:25
CVE-2023-34042
2024-02-05 22:15:55
prion
prion
Design/Logic Flaw
2024-02-05 22:15:00
cvelist
cvelist
CVE-2023-34042
2024-02-05 22:00:01
github
github
Spring Security's spring-security.xsd file is world writable
2024-02-06 00:30:25
cve
cve
CVE-2023-34042
2024-02-05 22:15:55
vulnrichment
vulnrichment
CVE-2023-34042
2024-02-05 22:00:01

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0

Percentile

5.1%

JSON
Related for C5BB668B9C9A18CA559066F6AD7EB77EF659F8D980A262D3632CCC446B9134CE
ibm9veracode1nvd1redhatcve1osv2prion1cvelist1github1cve1vulnrichment1