Описание
The spring-security.xsd file inside the
spring-security-config jar is world writable which means that if it were
extracted it could be written by anyone with access to the file system.
While there are no known exploits, this is an example of “CWE-732:
Incorrect Permission Assignment for Critical Resource” and could result
in an exploit. Users should update to the latest version of Spring
Security to mitigate any future exploits found around this issue.
A flaw was found in the Spring-security-config jar file. The spring-security.xsd file inside the spring-security-config jar is world-writable, which means that if it were extracted, it could be written by anyone with access to the file system.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | spring-security-config | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | spring-security-config | Out of support scope | ||
| Red Hat build of Apache Camel for Spring Boot 4 | spring-security-config | Not affected | ||
| Red Hat Build of Keycloak | spring-security-config | Not affected | ||
| Red Hat Data Grid 8 | spring-security-config | Not affected | ||
| Red Hat Decision Manager 7 | spring-security-config | Will not fix | ||
| Red Hat Fuse 7 | spring-security-config | Affected | ||
| Red Hat Integration Camel K 1 | spring-security-config | Will not fix | ||
| Red Hat JBoss Data Grid 7 | spring-security-config | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | org.keycloak-keycloak-parent | Out of support scope |
Показывать по
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.
Spring Security's spring-security.xsd file is world writable
5.5 Medium
CVSS3