Moderate severityNVD Advisory· Published Oct 18, 2024· Updated Nov 29, 2024
CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception
CVE-2024-38820
Description
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-contextMaven | >= 6.1.0, < 6.1.14 | 6.1.14 |
org.springframework:spring-webMaven | >= 6.1.0, < 6.1.14 | 6.1.14 |
org.springframework:spring-webMaven | >= 6.0.0, <= 6.0.24 | — |
org.springframework:spring-contextMaven | >= 6.0.0, <= 6.0.24 | — |
org.springframework:spring-contextMaven | <= 5.3.40 | — |
org.springframework:spring-webMaven | <= 5.3.40 | — |
Affected products
27- osv-coords26 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/camunda-zeebepkg:apk/chainguard/camunda-zeebe-compatpkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:maven/org.springframework/spring-contextpkg:maven/org.springframework/spring-web
< 2.0.0-r0+ 25 more
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 8.6.5-r0
- (no CPE)range: < 8.6.5-r0
- (no CPE)range: < 2.484-r0
- (no CPE)range: < 2.484-r0
- (no CPE)range: < 2.484-r0
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.484-r0
- (no CPE)range: < 2.484-r0
- (no CPE)range: < 2.484-r0
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: < 3.8.1-r1
- (no CPE)range: >= 6.1.0, < 6.1.14
- (no CPE)range: >= 6.1.0, < 6.1.14
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4gc7-5j7h-4qphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38820ghsaADVISORY
- github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296cghsaWEB
- github.com/spring-projects/spring-framework/commits/v6.2.0-RC2ghsaWEB
- security.netapp.com/advisory/ntap-20241129-0003ghsaWEB
- spring.io/security/cve-2024-38820ghsaWEB
News mentions
0No linked articles in our index yet.