CVE-2024-38820

EUVD-2024-2933
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
vmwareCNA
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
Affected Products (NVD)
VendorProductVersion
vmwarespring_framework
5.3.0 ≤
𝑥
< 5.3.41
vmwarespring_framework
6.0.0 ≤
𝑥
< 6.0.25
vmwarespring_framework
6.1.0 ≤
𝑥
< 6.1.14
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
vmwarespring
5.3.0 ≤
𝑥
< 5.3.41
CNA
vmwarespring
6.0.0 ≤
𝑥
< 6.0.25
CNA
vmwarespring
6.1.0 ≤
𝑥
< 6.1.14
CNA
Debian logo
Debian Releases
Debian Product
Codename
libspring-java
bookworm
unimportant
bullseye
unimportant
forky
unimportant
sid
unimportant
trixie
unimportant
Common Weakness Enumeration
References
https://spring.io/security/cve-2024-38820
https://security.netapp.com/advisory/ntap-20241129-0003/