SCA: security update for org.springframework.security:spring-security-config (GHSA-9gp8-6cg8-7h34)

medium Tenable Self-Hosted Container Security Plugin ID 413268

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The spring-security.xsd file inside the spring-security-config jar is world writable which means that if
it were extracted it could be written by anyone with access to the file system. While there are no known
exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could
result in an exploit. Users should update to the latest version of Spring Security to mitigate any future
exploits found around this issue. (CVE-2023-34042)

See Also

https://github.com/advisories/GHSA-9gp8-6cg8-7h34

Plugin Details

Severity: Medium

ID: 413268

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2023-34042

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2024

Vulnerability Publication Date: 2/5/2024

Reference Information

CVE: CVE-2023-34042

cwe: CWE-732