Insensitive Patterns in DataBinder Could Leave Fields Vulnerable
CVE-2024-38820
Summary
A recent vulnerability in the Spring Framework's DataBinder arises from an insufficient fix implemented for a previous issue. The update intended to enhance the protection of fields by making disallowedFields patterns case insensitive. However, the method String.toLowerCase() exhibits certain locale-dependent behaviors that may lead to unexpected results, resulting in potential exposure of sensitive fields that should be restricted. This oversight may undermine the security measures expected from the DataBinder, making it crucial for developers to review their implementations and ensure necessary mitigations are in place.
Affected Version(s)
Spring 5.3.x
Spring 5.3.x < 5.3.41
Spring 6.0.x < 6.0.25
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
References
CVSS V3.1
Timeline
- π°
First article discovered by infoq.com
Vulnerability published
Vulnerability Reserved