Insensitive Patterns in DataBinder Could Leave Fields Vulnerable
CVE-2024-38820

5.3MEDIUM

Key Information:

Vendor: Vmware
Status: Spring
Vendor: CVE Published:; 18 October 2024

Badges

📰 News Worthy

What is CVE-2024-38820?

A recent vulnerability in the Spring Framework's DataBinder arises from an insufficient fix implemented for a previous issue. The update intended to enhance the protection of fields by making disallowedFields patterns case insensitive. However, the method String.toLowerCase() exhibits certain locale-dependent behaviors that may lead to unexpected results, resulting in potential exposure of sensitive fields that should be restricted. This oversight may undermine the security measures expected from the DataBinder, making it crucial for developers to review their implementations and ensure necessary mitigations are in place.

Affected Version(s)

Spring 5.3.x

Spring 5.3.x < 5.3.41

Spring 6.0.x < 6.0.25

News Articles

infoq.com

CVE-2024-38819 CVE-2024-38820

Java News Roundup: WildFly 34, Stream Gatherers, Oracle CPU, Quarkiverse Release Process

This week's Java roundup for October 14th, 2024, features news highlighting: the release of WildFly 34; JEP 485, Stream Gatherers, proposed to target for JDK 24; Oracle Critical Patch Update for Octob

References

https://spring.io/security/cve-2024-38820

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by infoq.com
Oct 21, 2024
Vulnerability published
Oct 18, 2024
Vulnerability Reserved
Jun 19, 2024

JSON

Vmware

Badges

What is CVE-2024-38820?

Affected Version(s)

News Articles

Java News Roundup: WildFly 34, Stream Gatherers, Oracle CPU, Quarkiverse Release Process

References

CVSS V3.1

Timeline