CVE-2024-38820

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
References
Link Resource
https://spring.io/security/cve-2024-38820 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

History

05 Nov 2024, 21:35

Type Values Removed Values Added
CWE CWE-178

22 Oct 2024, 15:42

Type Values Removed Values Added
Summary
  • (es) La corrección de CVE-2022-22968 hizo que los patrones disallowedFields en DataBinder no distingan entre mayúsculas y minúsculas. Sin embargo, String.toLowerCase() tiene algunas excepciones dependientes de la configuración regional que podrían generar campos no protegidos como se esperaba.
CPE cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 3.1
v2 : unknown
v3 : 5.3
References () https://spring.io/security/cve-2024-38820 - () https://spring.io/security/cve-2024-38820 - Vendor Advisory
First Time Vmware spring Framework
Vmware
CWE NVD-CWE-noinfo

18 Oct 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-18 06:15

Updated : 2024-11-05 21:35


NVD link : CVE-2024-38820

Mitre link : CVE-2024-38820

CVE.ORG link : CVE-2024-38820


JSON object : View

Products Affected

vmware

  • spring_framework
CWE
NVD-CWE-noinfo CWE-178

Improper Handling of Case Sensitivity