CVE-2024-38820

The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBindercase insensitive. However, String.toLowerCase()has some Locale dependent exceptions that could potentially result in fields not protected as expected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
vmwareCNA
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
vmwarespring_framework
5.3.0 ≤
𝑥
< 5.3.41
vmwarespring_framework
6.0.0 ≤
𝑥
< 6.0.25
vmwarespring_framework
6.1.0 ≤
𝑥
< 6.1.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bullseye
unimportant
bookworm
unimportant
sid
unimportant
trixie
unimportant
Common Weakness Enumeration
References
https://spring.io/security/cve-2024-38820
https://security.netapp.com/advisory/ntap-20241129-0003/