CVE-2024-38820 - OpenCVE

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Vmware	Spring Framework

Configuration 1 [-]

OR	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::

No data.

References

Link	Providers
https://spring.io/security/cve-2024-38820

History

Tue, 05 Nov 2024 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-178

Tue, 22 Oct 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware spring Framework
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:vmware:spring_framework::::::::
Vendors & Products		Vmware Vmware spring Framework

Fri, 18 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 18 Oct 2024 05:45:00 +0000

Type	Values Removed	Values Added
Description		The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Title		CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception
References		https://spring.io/security/cve-2024-38820
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-10-18T05:39:05.275Z

Updated: 2024-11-05T20:15:24.631Z

Reserved: 2024-06-19T22:32:06.583Z

Link: CVE-2024-38820

Vulnrichment

Updated: 2024-10-18T16:33:52.621Z

NVD

Status : Modified

Published: 2024-10-18T06:15:03.333

Modified: 2024-11-05T21:35:09.393

Link: CVE-2024-38820

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38820", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:06.583Z", "datePublished": "2024-10-18T05:39:05.275Z", "dateUpdated": "2024-11-05T20:15:24.631Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Spring Framework", "product": "Spring", "vendor": "VMware", "versions": [{"lessThan": "5.3.41", "status": "affected", "version": "5.3.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.0.25", "status": "affected", "version": "6.0.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.1.14", "status": "affected", "version": "6.1.x", "versionType": "OSS"}]}], "datePublic": "2024-10-17T05:32:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><p>The fix for CVE-2022-22968 made <code>disallowedFields</code> patterns in <code>DataBinder</code> case insensitive. However, <code>String.toLowerCase()</code> has some Locale dependent exceptions that could potentially result in fields not protected as expected.</p></div></div><div><br></div><br>"}], "value": "The fix for CVE-2022-22968 made disallowedFields\u00a0patterns in DataBinder\u00a0case insensitive. However, String.toLowerCase()\u00a0has some Locale dependent exceptions that could potentially result in fields not protected as expected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-10-18T05:39:05.275Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38820"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-178", "lang": "en", "description": "CWE-178 Improper Handling of Case Sensitivity"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-18T16:33:48.971617Z", "id": "CVE-2024-38820", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T20:15:24.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-18T16:33:48.971617Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178 Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T16:33:52.621Z"}}], "cna": {"title": "CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VMware", "product": "Spring", "versions": [{"status": "affected", "version": "5.3.x", "lessThan": "5.3.41", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.0.x", "lessThan": "6.0.25", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.1.x", "lessThan": "6.1.14", "versionType": "OSS"}], "packageName": "Spring Framework", "defaultStatus": "affected"}], "datePublic": "2024-10-17T05:32:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38820"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The fix for CVE-2022-22968 made disallowedFields\u00a0patterns in DataBinder\u00a0case insensitive. However, String.toLowerCase()\u00a0has some Locale dependent exceptions that could potentially result in fields not protected as expected.", "supportingMedia": [{"type": "text/html", "value": "<div><div><p>The fix for CVE-2022-22968 made <code>disallowedFields</code> patterns in <code>DataBinder</code> case insensitive. However, <code>String.toLowerCase()</code> has some Locale dependent exceptions that could potentially result in fields not protected as expected.</p></div></div><div><br></div><br>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-10-18T05:39:05.275Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38820", "state": "PUBLISHED", "dateUpdated": "2024-11-05T20:15:24.631Z", "dateReserved": "2024-06-19T22:32:06.583Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-10-18T05:39:05.275Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF21F5D2-C4C5-4F24-AC72-D035237FF88E", "versionEndExcluding": "5.3.41", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "39D2699C-C6AD-4D79-A35B-2D273FA1C97C", "versionEndExcluding": "6.0.25", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "34886C2E-A108-48D6-9536-D33EF3C90A0A", "versionEndExcluding": "6.1.14", "versionStartIncluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The fix for CVE-2022-22968 made disallowedFields\u00a0patterns in DataBinder\u00a0case insensitive. However, String.toLowerCase()\u00a0has some Locale dependent exceptions that could potentially result in fields not protected as expected."}, {"lang": "es", "value": "La correcci\u00f3n de CVE-2022-22968 hizo que los patrones disallowedFields en DataBinder no distingan entre may\u00fasculas y min\u00fasculas. Sin embargo, String.toLowerCase() tiene algunas excepciones dependientes de la configuraci\u00f3n regional que podr\u00edan generar campos no protegidos como se esperaba."}], "id": "CVE-2024-38820", "lastModified": "2024-11-05T21:35:09.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-10-18T06:15:03.333", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2024-38820"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-178"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}