Medium severity4.8NVD Advisory· Published Dec 2, 2024· Updated Apr 15, 2026
CVE-2024-38827
CVE-2024-38827
Description
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | < 5.7.14 | 5.7.14 |
org.springframework.security:spring-security-coreMaven | >= 5.8.0, < 5.8.16 | 5.8.16 |
org.springframework.security:spring-security-coreMaven | >= 6.0.0, < 6.0.14 | 6.0.14 |
org.springframework.security:spring-security-coreMaven | >= 6.1.0, < 6.1.12 | 6.1.12 |
org.springframework.security:spring-security-coreMaven | >= 6.2.0, < 6.2.8 | 6.2.8 |
org.springframework.security:spring-security-coreMaven | >= 6.3.0, < 6.3.5 | 6.3.5 |
Patches
111d4272ff48bUse Locale.ROOT consistently for toLower/toUpperCase
23 files changed · +81 −59
spring-beans/src/main/java/org/springframework/beans/support/PropertyComparator.java+4 −3 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,6 +19,7 @@ import java.util.Arrays; import java.util.Comparator; import java.util.List; +import java.util.Locale; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -77,8 +78,8 @@ public int compare(T o1, T o2) { Object v1 = getPropertyValue(o1); Object v2 = getPropertyValue(o2); if (this.sortDefinition.isIgnoreCase() && (v1 instanceof String text1) && (v2 instanceof String text2)) { - v1 = text1.toLowerCase(); - v2 = text2.toLowerCase(); + v1 = text1.toLowerCase(Locale.ROOT); + v2 = text2.toLowerCase(Locale.ROOT); } int result;
spring-context/src/main/java/org/springframework/format/datetime/standard/MonthFormatter.java+1 −1 modified@@ -34,7 +34,7 @@ class MonthFormatter implements Formatter<Month> { @Override public Month parse(String text, Locale locale) throws ParseException { - return Month.valueOf(text.toUpperCase()); + return Month.valueOf(text.toUpperCase(Locale.ROOT)); } @Override
spring-context/src/main/java/org/springframework/scheduling/support/CronField.java+2 −1 modified@@ -21,6 +21,7 @@ import java.time.temporal.ChronoUnit; import java.time.temporal.Temporal; import java.time.temporal.ValueRange; +import java.util.Locale; import java.util.function.BiFunction; import org.springframework.lang.Nullable; @@ -143,7 +144,7 @@ private static CronField parseList(String value, Type type, BiFunction<String, T } private static String replaceOrdinals(String value, String[] list) { - value = value.toUpperCase(); + value = value.toUpperCase(Locale.ROOT); for (int i = 0; i < list.length; i++) { String replacement = Integer.toString(i + 1); value = StringUtils.replace(value, list[i], replacement);
spring-context-support/src/main/java/org/springframework/scheduling/quartz/LocalDataSourceJobStore.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,6 +19,7 @@ import java.sql.Connection; import java.sql.DatabaseMetaData; import java.sql.SQLException; +import java.util.Locale; import javax.sql.DataSource; @@ -155,7 +156,7 @@ public void initialize() { String productName = JdbcUtils.extractDatabaseMetaData(this.dataSource, DatabaseMetaData::getDatabaseProductName); productName = JdbcUtils.commonDatabaseName(productName); - if (productName != null && productName.toLowerCase().contains("hsql")) { + if (productName != null && productName.toLowerCase(Locale.ROOT).contains("hsql")) { setUseDBLocks(false); setLockHandler(new SimpleSemaphore()); }
spring-core/src/main/java/org/springframework/core/convert/support/StringToBooleanConverter.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.core.convert.support; +import java.util.Locale; import java.util.Set; import org.springframework.core.convert.converter.Converter; @@ -43,7 +44,7 @@ public Boolean convert(String source) { if (value.isEmpty()) { return null; } - value = value.toLowerCase(); + value = value.toLowerCase(Locale.ROOT); if (trueValues.contains(value)) { return Boolean.TRUE; }
spring-core/src/main/java/org/springframework/core/env/SystemEnvironmentPropertySource.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package org.springframework.core.env; +import java.util.Locale; import java.util.Map; import org.springframework.lang.Nullable; @@ -109,7 +110,7 @@ protected final String resolvePropertyName(String name) { if (resolvedName != null) { return resolvedName; } - String uppercasedName = name.toUpperCase(); + String uppercasedName = name.toUpperCase(Locale.ROOT); if (!name.equals(uppercasedName)) { resolvedName = checkPropertyName(uppercasedName); if (resolvedName != null) {
spring-core/src/main/java/org/springframework/util/ResourceUtils.java+2 −1 modified@@ -24,6 +24,7 @@ import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; +import java.util.Locale; import org.springframework.lang.Nullable; @@ -306,7 +307,7 @@ public static boolean isJarURL(URL url) { */ public static boolean isJarFileURL(URL url) { return (URL_PROTOCOL_FILE.equals(url.getProtocol()) && - url.getPath().toLowerCase().endsWith(JAR_FILE_EXTENSION)); + url.getPath().toLowerCase(Locale.ROOT).endsWith(JAR_FILE_EXTENSION)); } /**
spring-core-test/src/main/java/org/springframework/aot/agent/InvocationsRecorderClassVisitor.java+6 −5 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ package org.springframework.aot.agent; import java.util.HashSet; +import java.util.Locale; import java.util.Set; import org.springframework.asm.ClassVisitor; @@ -40,6 +41,7 @@ class InvocationsRecorderClassVisitor extends ClassVisitor implements Opcodes { private final ClassWriter classWriter; + public InvocationsRecorderClassVisitor() { this(new ClassWriter(ClassWriter.COMPUTE_MAXS)); } @@ -49,6 +51,7 @@ private InvocationsRecorderClassVisitor(ClassWriter classWriter) { this.classWriter = classWriter; } + public boolean isTransformed() { return this.isTransformed; } @@ -64,6 +67,7 @@ public MethodVisitor visitMethod(int access, String name, String descriptor, Str return new InvocationsRecorderMethodVisitor(mv); } + @SuppressWarnings("deprecation") class InvocationsRecorderMethodVisitor extends MethodVisitor implements Opcodes { @@ -83,7 +87,6 @@ public InvocationsRecorderMethodVisitor(MethodVisitor mv) { super(SpringAsmInfo.ASM_VERSION, mv); } - @Override public void visitMethodInsn(int opcode, String owner, String name, String descriptor, boolean isInterface) { if (isOpcodeSupported(opcode) && shouldRecordMethodCall(owner, name)) { @@ -116,21 +119,19 @@ public void visitInvokeDynamicInsn(String name, String descriptor, Handle bootst super.visitInvokeDynamicInsn(name, descriptor, bootstrapMethodHandle, bootstrapMethodArguments); } - private boolean shouldRecordMethodCall(String owner, String method) { String methodReference = owner + "#" + method; return instrumentedMethods.contains(methodReference); } private String rewriteMethodName(String owner, String methodName) { int classIndex = owner.lastIndexOf('/'); - return owner.substring(classIndex + 1).toLowerCase() + methodName; + return owner.substring(classIndex + 1).toLowerCase(Locale.ROOT) + methodName; } private String rewriteDescriptor(int opcode, String owner, String name, String descriptor) { return (opcode == Opcodes.INVOKESTATIC || opcode == Opcodes.H_INVOKESTATIC) ? descriptor : "(L" + owner + ";" + descriptor.substring(1); } - } }
spring-expression/src/main/java/org/springframework/expression/spel/ast/TypeReference.java+2 −1 modified@@ -17,6 +17,7 @@ package org.springframework.expression.spel.ast; import java.lang.reflect.Array; +import java.util.Locale; import org.springframework.asm.MethodVisitor; import org.springframework.asm.Type; @@ -58,7 +59,7 @@ public TypedValue getValueInternal(ExpressionState state) throws EvaluationExcep String typeName = (String) this.children[0].getValueInternal(state).getValue(); Assert.state(typeName != null, "No type name"); if (!typeName.contains(".") && Character.isLowerCase(typeName.charAt(0))) { - TypeCode tc = TypeCode.valueOf(typeName.toUpperCase()); + TypeCode tc = TypeCode.valueOf(typeName.toUpperCase(Locale.ROOT)); if (tc != TypeCode.OBJECT) { // It is a primitive type Class<?> clazz = makeArrayIfNecessary(tc.getType());
spring-expression/src/main/java/org/springframework/expression/spel/SpelParserConfiguration.java+3 −1 modified@@ -16,6 +16,8 @@ package org.springframework.expression.spel; +import java.util.Locale; + import org.springframework.core.SpringProperties; import org.springframework.lang.Nullable; @@ -46,7 +48,7 @@ public class SpelParserConfiguration { static { String compilerMode = SpringProperties.getProperty(SPRING_EXPRESSION_COMPILER_MODE_PROPERTY_NAME); defaultCompilerMode = (compilerMode != null ? - SpelCompilerMode.valueOf(compilerMode.toUpperCase()) : SpelCompilerMode.OFF); + SpelCompilerMode.valueOf(compilerMode.toUpperCase(Locale.ROOT)) : SpelCompilerMode.OFF); }
spring-expression/src/main/java/org/springframework/expression/spel/standard/InternalSpelExpressionParser.java+4 −3 modified@@ -21,6 +21,7 @@ import java.util.Collections; import java.util.Deque; import java.util.List; +import java.util.Locale; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import java.util.regex.Pattern; @@ -750,7 +751,7 @@ private SpelNodeImpl eatPossiblyQualifiedId() { throw internalException( this.expressionString.length(), SpelMessage.OOD); } throw internalException(node.startPos, SpelMessage.NOT_EXPECTED_TOKEN, - "qualified ID", node.getKind().toString().toLowerCase()); + "qualified ID", node.getKind().toString().toLowerCase(Locale.ROOT)); } return new QualifiedIdentifier(qualifiedIdPieces.getFirst().getStartPosition(), qualifiedIdPieces.getLast().getEndPosition(), qualifiedIdPieces.toArray(new SpelNodeImpl[0])); @@ -942,7 +943,7 @@ private Token eatToken(TokenKind expectedKind) { } if (t.kind != expectedKind) { throw internalException(t.startPos, SpelMessage.NOT_EXPECTED_TOKEN, - expectedKind.toString().toLowerCase(), t.getKind().toString().toLowerCase()); + expectedKind.toString().toLowerCase(Locale.ROOT), t.getKind().toString().toLowerCase(Locale.ROOT)); } return t; } @@ -1038,7 +1039,7 @@ public String toString(@Nullable Token t) { if (t.getKind().hasPayload()) { return t.stringValue(); } - return t.kind.toString().toLowerCase(); + return t.kind.toString().toLowerCase(Locale.ROOT); } private void checkOperands(Token token, @Nullable SpelNodeImpl left, @Nullable SpelNodeImpl right) {
spring-expression/src/main/java/org/springframework/expression/spel/standard/Tokenizer.java+2 −1 modified@@ -19,6 +19,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Locale; import org.springframework.expression.spel.InternalParseException; import org.springframework.expression.spel.SpelMessage; @@ -457,7 +458,7 @@ private void lexIdentifier() { // Check if this is the alternative (textual) representation of an operator (see // ALTERNATIVE_OPERATOR_NAMES). if (subarray.length == 2 || subarray.length == 3) { - String asString = new String(subarray).toUpperCase(); + String asString = new String(subarray).toUpperCase(Locale.ROOT); int idx = Arrays.binarySearch(ALTERNATIVE_OPERATOR_NAMES, asString); if (idx >= 0) { pushOneCharOrTwoCharToken(TokenKind.valueOf(asString), start, subarray);
spring-jdbc/src/main/java/org/springframework/jdbc/core/metadata/CallMetaDataContext.java+5 −5 modified@@ -385,7 +385,7 @@ protected List<SqlParameter> reconcileParameters(List<SqlParameter> parameters) if (meta.isReturnParameter()) { param = declaredParams.get(getFunctionReturnName()); if (param == null && !getOutParameterNames().isEmpty()) { - param = declaredParams.get(getOutParameterNames().get(0).toLowerCase()); + param = declaredParams.get(getOutParameterNames().get(0).toLowerCase(Locale.ROOT)); } if (param == null) { throw new InvalidDataAccessApiUsageException( @@ -488,15 +488,15 @@ public Map<String, Object> matchInParameterValuesWithCallParameters(SqlParameter String parameterName = parameter.getName(); String parameterNameToMatch = obtainMetaDataProvider().parameterNameToUse(parameterName); if (parameterNameToMatch != null) { - callParameterNames.put(parameterNameToMatch.toLowerCase(), parameterName); + callParameterNames.put(parameterNameToMatch.toLowerCase(Locale.ROOT), parameterName); } if (parameterName != null) { if (parameterSource.hasValue(parameterName)) { matchedParameters.put(parameterName, SqlParameterSourceUtils.getTypedValue(parameterSource, parameterName)); } else { - String lowerCaseName = parameterName.toLowerCase(); + String lowerCaseName = parameterName.toLowerCase(Locale.ROOT); if (parameterSource.hasValue(lowerCaseName)) { matchedParameters.put(parameterName, SqlParameterSourceUtils.getTypedValue(parameterSource, lowerCaseName)); @@ -556,7 +556,7 @@ else if (logger.isInfoEnabled()) { String parameterName = parameter.getName(); String parameterNameToMatch = provider.parameterNameToUse(parameterName); if (parameterNameToMatch != null) { - callParameterNames.put(parameterNameToMatch.toLowerCase(), parameterName); + callParameterNames.put(parameterNameToMatch.toLowerCase(Locale.ROOT), parameterName); } } } @@ -681,7 +681,7 @@ protected String createParameterBinding(SqlParameter parameter) { } private static String lowerCase(@Nullable String paramName) { - return (paramName != null ? paramName.toLowerCase() : ""); + return (paramName != null ? paramName.toLowerCase(Locale.ROOT) : ""); } }
spring-jdbc/src/main/java/org/springframework/jdbc/core/metadata/Db2CallMetaDataProvider.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.sql.DatabaseMetaData; import java.sql.SQLException; +import java.util.Locale; import org.springframework.lang.Nullable; @@ -73,7 +74,7 @@ public String metaDataSchemaNameToUse(@Nullable String schemaName) { // Use current user schema if no schema specified... String userName = getUserName(); - return (userName != null ? userName.toUpperCase() : null); + return (userName != null ? userName.toUpperCase(Locale.ROOT) : null); } }
spring-jdbc/src/main/java/org/springframework/jdbc/core/metadata/DerbyCallMetaDataProvider.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.sql.DatabaseMetaData; import java.sql.SQLException; +import java.util.Locale; import org.springframework.lang.Nullable; @@ -45,7 +46,7 @@ public String metaDataSchemaNameToUse(@Nullable String schemaName) { // Use current user schema if no schema specified... String userName = getUserName(); - return (userName != null ? userName.toUpperCase() : null); + return (userName != null ? userName.toUpperCase(Locale.ROOT) : null); } }
spring-jdbc/src/main/java/org/springframework/jdbc/core/metadata/GenericCallMetaDataProvider.java+3 −2 modified@@ -22,6 +22,7 @@ import java.sql.Types; import java.util.ArrayList; import java.util.List; +import java.util.Locale; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -284,10 +285,10 @@ private String identifierNameToUse(@Nullable String identifierName) { return null; } else if (isStoresUpperCaseIdentifiers()) { - return identifierName.toUpperCase(); + return identifierName.toUpperCase(Locale.ROOT); } else if (isStoresLowerCaseIdentifiers()) { - return identifierName.toLowerCase(); + return identifierName.toLowerCase(Locale.ROOT); } else { return identifierName;
spring-jdbc/src/main/java/org/springframework/jdbc/core/metadata/GenericTableMetaDataProvider.java+7 −6 modified@@ -24,6 +24,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import org.apache.commons.logging.Log; @@ -214,10 +215,10 @@ private String identifierNameToUse(@Nullable String identifierName) { return null; } else if (isStoresUpperCaseIdentifiers()) { - return identifierName.toUpperCase(); + return identifierName.toUpperCase(Locale.ROOT); } else if (isStoresLowerCaseIdentifiers()) { - return identifierName.toLowerCase(); + return identifierName.toLowerCase(Locale.ROOT); } else { return identifierName; @@ -326,10 +327,10 @@ private void locateTableAndProcessMetaData(DatabaseMetaData databaseMetaData, TableMetaData tmd = new TableMetaData(tables.getString("TABLE_CAT"), tables.getString("TABLE_SCHEM"), tables.getString("TABLE_NAME")); if (tmd.schemaName() == null) { - tableMeta.put(this.userName != null ? this.userName.toUpperCase() : "", tmd); + tableMeta.put(this.userName != null ? this.userName.toUpperCase(Locale.ROOT) : "", tmd); } else { - tableMeta.put(tmd.schemaName().toUpperCase(), tmd); + tableMeta.put(tmd.schemaName().toUpperCase(Locale.ROOT), tmd); } } } @@ -356,7 +357,7 @@ private TableMetaData findTableMetaData(@Nullable String schemaName, @Nullable S Map<String, TableMetaData> tableMeta) { if (schemaName != null) { - TableMetaData tmd = tableMeta.get(schemaName.toUpperCase()); + TableMetaData tmd = tableMeta.get(schemaName.toUpperCase(Locale.ROOT)); if (tmd == null) { throw new DataAccessResourceFailureException("Unable to locate table meta-data for '" + tableName + "' in the '" + schemaName + "' schema"); @@ -369,7 +370,7 @@ else if (tableMeta.size() == 1) { else { TableMetaData tmd = tableMeta.get(getDefaultSchema()); if (tmd == null) { - tmd = tableMeta.get(this.userName != null ? this.userName.toUpperCase() : ""); + tmd = tableMeta.get(this.userName != null ? this.userName.toUpperCase(Locale.ROOT) : ""); } if (tmd == null) { tmd = tableMeta.get("PUBLIC");
spring-jdbc/src/main/java/org/springframework/jdbc/core/metadata/TableMetaDataContext.java+9 −8 modified@@ -20,6 +20,7 @@ import java.util.Collections; import java.util.LinkedHashSet; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Set; @@ -217,11 +218,11 @@ protected List<String> reconcileColumnsToUse(List<String> declaredColumns, Strin } Set<String> keys = new LinkedHashSet<>(generatedKeyNames.length); for (String key : generatedKeyNames) { - keys.add(key.toUpperCase()); + keys.add(key.toUpperCase(Locale.ROOT)); } List<String> columns = new ArrayList<>(); for (TableParameterMetaData meta : obtainMetaDataProvider().getTableParameterMetaData()) { - if (!keys.contains(meta.getParameterName().toUpperCase())) { + if (!keys.contains(meta.getParameterName().toUpperCase(Locale.ROOT))) { columns.add(meta.getParameterName()); } } @@ -243,7 +244,7 @@ public List<Object> matchInParameterValuesWithInsertColumns(SqlParameterSource p values.add(SqlParameterSourceUtils.getTypedValue(parameterSource, column)); } else { - String lowerCaseName = column.toLowerCase(); + String lowerCaseName = column.toLowerCase(Locale.ROOT); if (parameterSource.hasValue(lowerCaseName)) { values.add(SqlParameterSourceUtils.getTypedValue(parameterSource, lowerCaseName)); } @@ -276,7 +277,7 @@ public List<Object> matchInParameterValuesWithInsertColumns(Map<String, ?> inPar for (String column : this.tableColumns) { Object value = inParameters.get(column); if (value == null) { - value = inParameters.get(column.toLowerCase()); + value = inParameters.get(column.toLowerCase(Locale.ROOT)); if (value == null) { for (Map.Entry<String, ?> entry : inParameters.entrySet()) { if (column.equalsIgnoreCase(entry.getKey())) { @@ -298,7 +299,7 @@ public List<Object> matchInParameterValuesWithInsertColumns(Map<String, ?> inPar public String createInsertString(String... generatedKeyNames) { Set<String> keys = new LinkedHashSet<>(generatedKeyNames.length); for (String key : generatedKeyNames) { - keys.add(key.toUpperCase()); + keys.add(key.toUpperCase(Locale.ROOT)); } String identifierQuoteString = (isQuoteIdentifiers() ? @@ -326,7 +327,7 @@ public String createInsertString(String... generatedKeyNames) { insertStatement.append(" ("); int columnCount = 0; for (String columnName : getTableColumns()) { - if (!keys.contains(columnName.toUpperCase())) { + if (!keys.contains(columnName.toUpperCase(Locale.ROOT))) { columnCount++; if (columnCount > 1) { insertStatement.append(", "); @@ -366,15 +367,15 @@ public int[] createInsertTypes() { List<TableParameterMetaData> parameters = obtainMetaDataProvider().getTableParameterMetaData(); Map<String, TableParameterMetaData> parameterMap = CollectionUtils.newLinkedHashMap(parameters.size()); for (TableParameterMetaData tpmd : parameters) { - parameterMap.put(tpmd.getParameterName().toUpperCase(), tpmd); + parameterMap.put(tpmd.getParameterName().toUpperCase(Locale.ROOT), tpmd); } int typeIndx = 0; for (String column : getTableColumns()) { if (column == null) { types[typeIndx] = SqlTypeValue.TYPE_UNKNOWN; } else { - TableParameterMetaData tpmd = parameterMap.get(column.toUpperCase()); + TableParameterMetaData tpmd = parameterMap.get(column.toUpperCase(Locale.ROOT)); if (tpmd != null) { types[typeIndx] = tpmd.getSqlType(); }
spring-jdbc/src/main/java/org/springframework/jdbc/core/namedparam/SqlParameterSourceUtils.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,6 +19,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.HashMap; +import java.util.Locale; import java.util.Map; import org.springframework.jdbc.core.SqlParameterValue; @@ -115,7 +116,7 @@ public static Map<String, String> extractCaseInsensitiveParameterNames(SqlParame String[] paramNames = parameterSource.getParameterNames(); if (paramNames != null) { for (String name : paramNames) { - caseInsensitiveParameterNames.put(name.toLowerCase(), name); + caseInsensitiveParameterNames.put(name.toLowerCase(Locale.ROOT), name); } } return caseInsensitiveParameterNames;
spring-jdbc/src/main/java/org/springframework/jdbc/core/simple/AbstractJdbcInsert.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,6 +26,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import javax.sql.DataSource; @@ -490,7 +491,7 @@ private KeyHolder executeInsertAndReturnKeyHolderInternal(List<?> values) { // get generated keys feature. HSQL is one, PostgreSQL is another. Postgres uses a RETURNING // clause while HSQL uses a second query that has to be executed with the same connection. - if (keyQuery.toUpperCase().startsWith("RETURNING")) { + if (keyQuery.toUpperCase(Locale.ROOT).startsWith("RETURNING")) { Long key = getJdbcTemplate().queryForObject( getInsertString() + " " + keyQuery, Long.class, values.toArray()); Map<String, Object> keys = new HashMap<>(2);
spring-jms/src/main/java/org/springframework/jms/config/JmsListenerContainerParser.java+4 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,6 +16,8 @@ package org.springframework.jms.config; +import java.util.Locale; + import jakarta.jms.Session; import org.w3c.dom.Element; @@ -155,7 +157,7 @@ protected MutablePropertyValues parseSpecificContainerProperties(Element contain } } else { - properties.add("cacheLevelName", "CACHE_" + cache.toUpperCase()); + properties.add("cacheLevelName", "CACHE_" + cache.toUpperCase(Locale.ROOT)); } }
spring-test/src/main/java/org/springframework/test/context/NestedTestConfiguration.java+3 −3 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +22,7 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import java.util.Locale; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -159,7 +160,7 @@ public static EnclosingConfiguration from(@Nullable String name) { return null; } try { - return EnclosingConfiguration.valueOf(name.trim().toUpperCase()); + return EnclosingConfiguration.valueOf(name.trim().toUpperCase(Locale.ROOT)); } catch (IllegalArgumentException ex) { Log logger = LogFactory.getLog(EnclosingConfiguration.class); @@ -171,7 +172,6 @@ public static EnclosingConfiguration from(@Nullable String name) { return null; } } - } }
spring-test/src/main/java/org/springframework/test/context/TestConstructor.java+3 −2 modified@@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,6 +22,7 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import java.util.Locale; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -161,7 +162,7 @@ public static AutowireMode from(@Nullable String name) { return null; } try { - return AutowireMode.valueOf(name.trim().toUpperCase()); + return AutowireMode.valueOf(name.trim().toUpperCase(Locale.ROOT)); } catch (IllegalArgumentException ex) { Log logger = LogFactory.getLog(AutowireMode.class);
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
8- github.com/advisories/GHSA-q3v6-hm2v-pw99ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38827ghsaADVISORY
- github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9ghsaWEB
- github.com/spring-projects/spring-framework/issues/33708ghsaWEB
- github.com/spring-projects/spring-framework/issues/34232ghsaWEB
- security.netapp.com/advisory/ntap-20250124-0007ghsaWEB
- spring.io/security/cve-2024-38827nvdWEB
- security.netapp.com/advisory/ntap-20250124-0007/nvd
News mentions
0No linked articles in our index yet.