Insensitive Patterns in DataBinder Could Leave Fields Vulnerable

CVE-2024-38820

5.3MEDIUM

Key Information

Vendor: Vmware
Status: Spring
Vendor: CVE Published:; 18 October 2024

Summary

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Affected Version(s)

Spring <= 5.3.x

Spring < 5.3.41

Spring < 6.0.25

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 5.3 to: 3.1 - (LOW)
Nov 29, 2024
Risk change from: 5.3 to: 3.1 - (LOW)
Nov 5, 2024
Vulnerability published.
Oct 18, 2024
Vulnerability Reserved.
Jun 19, 2024

Collectors

NVD DatabaseMitre Database