The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
References
History

Tue, 05 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-178

Tue, 22 Oct 2024 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Framework

Fri, 18 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 18 Oct 2024 05:45:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Title CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-10-18T05:39:05.275Z

Updated: 2024-11-05T20:15:24.631Z

Reserved: 2024-06-19T22:32:06.583Z

Link: CVE-2024-38820

cve-icon Vulnrichment

Updated: 2024-10-18T16:33:52.621Z

cve-icon NVD

Status : Modified

Published: 2024-10-18T06:15:03.333

Modified: 2024-11-05T21:35:09.393

Link: CVE-2024-38820

cve-icon Redhat

No data.