Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-sguk-f634-sfgs

Summary

Spring Security's spring-security.xsd file is world writable
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system.

While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Aliases

alias	CVE-2023-34042

alias	GHSA-9gp8-6cg8-7h34

Fixed_packages

url	pkg:maven/org.springframework.security/spring-security-config@5.7.11
purl	pkg:maven/org.springframework.security/spring-security-config@5.7.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.7.11

url	pkg:maven/org.springframework.security/spring-security-config@5.8.7
purl	pkg:maven/org.springframework.security/spring-security-config@5.8.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.7

url	pkg:maven/org.springframework.security/spring-security-config@6.0.7
purl	pkg:maven/org.springframework.security/spring-security-config@6.0.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.7

url	pkg:maven/org.springframework.security/spring-security-config@6.1.4
purl	pkg:maven/org.springframework.security/spring-security-config@6.1.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.1.4

url pkg:maven/org.springframework.security/spring-security-core@5.7.11

purl pkg:maven/org.springframework.security/spring-security-core@5.7.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.11

url pkg:maven/org.springframework.security/spring-security-core@5.8.7

purl pkg:maven/org.springframework.security/spring-security-core@5.8.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.7

url pkg:maven/org.springframework.security/spring-security-core@6.0.7

purl pkg:maven/org.springframework.security/spring-security-core@6.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.7

url pkg:maven/org.springframework.security/spring-security-core@6.1.4

purl pkg:maven/org.springframework.security/spring-security-core@6.1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-42hz-39hx-myh7

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.4

Affected_packages

url pkg:maven/org.springframework.security/spring-security-config@5.7.9

purl pkg:maven/org.springframework.security/spring-security-config@5.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.7.9

url pkg:maven/org.springframework.security/spring-security-config@5.7.10

purl pkg:maven/org.springframework.security/spring-security-config@5.7.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.7.10

url pkg:maven/org.springframework.security/spring-security-config@5.8.4

purl pkg:maven/org.springframework.security/spring-security-config@5.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7ceg-a9bh-fkau

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.4

url pkg:maven/org.springframework.security/spring-security-config@5.8.6

purl pkg:maven/org.springframework.security/spring-security-config@5.8.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@5.8.6

url pkg:maven/org.springframework.security/spring-security-config@6.0.4

purl pkg:maven/org.springframework.security/spring-security-config@6.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7ceg-a9bh-fkau

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.4

url pkg:maven/org.springframework.security/spring-security-config@6.0.6

purl pkg:maven/org.springframework.security/spring-security-config@6.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.0.6

url pkg:maven/org.springframework.security/spring-security-config@6.1.1

purl pkg:maven/org.springframework.security/spring-security-config@6.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7ceg-a9bh-fkau

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.1.1

url pkg:maven/org.springframework.security/spring-security-config@6.1.3

purl pkg:maven/org.springframework.security/spring-security-config@6.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sguk-f634-sfgs

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-config@6.1.3

url pkg:maven/org.springframework.security/spring-security-core@5.7.9

purl pkg:maven/org.springframework.security/spring-security-core@5.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.9

url pkg:maven/org.springframework.security/spring-security-core@5.7.10

purl pkg:maven/org.springframework.security/spring-security-core@5.7.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.10

url pkg:maven/org.springframework.security/spring-security-core@5.8.4

purl pkg:maven/org.springframework.security/spring-security-core@5.8.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7ceg-a9bh-fkau

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.4

url pkg:maven/org.springframework.security/spring-security-core@5.8.5

purl pkg:maven/org.springframework.security/spring-security-core@5.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.5

url pkg:maven/org.springframework.security/spring-security-core@5.8.6

purl pkg:maven/org.springframework.security/spring-security-core@5.8.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.6

url pkg:maven/org.springframework.security/spring-security-core@6.0.4

purl pkg:maven/org.springframework.security/spring-security-core@6.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7ceg-a9bh-fkau

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.4

url pkg:maven/org.springframework.security/spring-security-core@6.0.5

purl pkg:maven/org.springframework.security/spring-security-core@6.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.5

url pkg:maven/org.springframework.security/spring-security-core@6.0.6

purl pkg:maven/org.springframework.security/spring-security-core@6.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.6

url pkg:maven/org.springframework.security/spring-security-core@6.1.1

purl pkg:maven/org.springframework.security/spring-security-core@6.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-42hz-39hx-myh7

vulnerability	VCID-7ceg-a9bh-fkau

vulnerability	VCID-8dx4-u4aa-xuet

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.1

url pkg:maven/org.springframework.security/spring-security-core@6.1.2

purl pkg:maven/org.springframework.security/spring-security-core@6.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-42hz-39hx-myh7

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.2

url pkg:maven/org.springframework.security/spring-security-core@6.1.3

purl pkg:maven/org.springframework.security/spring-security-core@6.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-42hz-39hx-myh7

vulnerability	VCID-dwcq-d6nf-1ubn

vulnerability	VCID-sguk-f634-sfgs

vulnerability	VCID-u6vb-w2bu-ykfk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.3

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34042.json

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34042.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-34042

reference_id

reference_type

scores

value	0.00043
scoring_system	epss
scoring_elements	0.13103
published_at	2026-04-21T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13226
published_at	2026-04-02T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13292
published_at	2026-04-04T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.1309
published_at	2026-04-07T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13171
published_at	2026-04-08T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13223
published_at	2026-04-09T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13191
published_at	2026-04-11T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13154
published_at	2026-04-12T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13102
published_at	2026-04-13T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13003
published_at	2026-04-16T12:55:00Z

value	0.00043
scoring_system	epss
scoring_elements	0.13006
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-34042

reference_url

https://github.com/spring-projects/spring-security

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-security

reference_url

https://github.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-34042

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-34042

reference_url

https://security.netapp.com/advisory/ntap-20241129-0010

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20241129-0010

reference_url

https://spring.io/security/cve-2023-34042

reference_id

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:00:46Z/

url

https://spring.io/security/cve-2023-34042

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2262911
reference_id	2262911
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2262911

reference_url

https://github.com/advisories/GHSA-9gp8-6cg8-7h34

reference_id

GHSA-9gp8-6cg8-7h34

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9gp8-6cg8-7h34

Weaknesses

cwe_id	732
name	Incorrect Permission Assignment for Critical Resource
description	The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sguk-f634-sfgs

Vulnerability Instance