{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38829", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:07.790Z", "datePublished": "2024-12-04T21:06:05.021Z", "dateUpdated": "2024-12-10T14:33:55.692Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Spring LDAP", "vendor": "Spring", "versions": [{"lessThanOrEqual": "2.4.3", "status": "affected", "version": "2.4.0", "versionType": "Spring LDAP"}, {"lessThanOrEqual": "3.0.9", "status": "affected", "version": "3.0.0", "versionType": "Spring LDAP"}, {"lessThanOrEqual": "3.1.7", "status": "affected", "version": "3.1.0", "versionType": "Spring LDAP"}, {"lessThanOrEqual": "3.2.7", "status": "affected", "version": "3.2.0", "versionType": "Spring LDAP"}, {"lessThanOrEqual": "2.4.0", "status": "affected", "version": "0", "versionType": "Spring LDAP"}]}], "datePublic": "2024-11-19T21:04:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.<p>This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.</p>The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried<br><p>Related to <a target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2024-38820\">CVE-2024-38820</a></p><br>"}], "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820"}], "impacts": [{"descriptions": [{"lang": "en", "value": "CAPEC-NOINFO"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "description": "CWE-178", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-12-10T14:33:55.692Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://spring.io/security/cve-2024-38829"}], "source": {"discovery": "UNKNOWN"}, "title": "Spring LDAP sensitive data exposure for case-sensitive comparisons", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-05T17:10:00.599129Z", "id": "CVE-2024-38829", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-05T17:10:15.259Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38829", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-05T17:10:00.599129Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-05T17:10:09.922Z"}}], "cna": {"title": "Spring LDAP sensitive data exposure for case-sensitive comparisons", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "CAPEC-NOINFO"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring LDAP", "versions": [{"status": "affected", "version": "2.4.0", "versionType": "Spring LDAP", "lessThanOrEqual": "2.4.3"}, {"status": "affected", "version": "3.0.0", "versionType": "Spring LDAP", "lessThanOrEqual": "3.0.9"}, {"status": "affected", "version": "3.1.0", "versionType": "Spring LDAP", "lessThanOrEqual": "3.1.7"}, {"status": "affected", "version": "3.2.0", "versionType": "Spring LDAP", "lessThanOrEqual": "3.2.7"}, {"status": "affected", "version": "0", "versionType": "Spring LDAP", "lessThanOrEqual": "2.4.0"}], "defaultStatus": "unaffected"}], "datePublic": "2024-11-19T21:04:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38829", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.<p>This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.</p>The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried<br><p>Related to <a target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2024-38820\">CVE-2024-38820</a></p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-12-10T14:33:55.692Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38829", "state": "PUBLISHED", "dateUpdated": "2024-12-10T14:33:55.692Z", "dateReserved": "2024-06-19T22:32:07.790Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-12-04T21:06:05.021Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820"}, {"lang": "es", "value": "Una vulnerabilidad en VMware Tanzu Spring LDAP permite la exposici\u00f3n de datos para comparaciones que distinguen entre may\u00fasculas y min\u00fasculas. Este problema afecta a Spring LDAP: de 2.4.0 a 2.4.3, de 3.0.0 a 3.0.9, de 3.1.0 a 3.1.7, de 3.2.0 a 3.2.7, Y todas las versiones anteriores a 2.4.0. El uso de String.toLowerCase() y String.toUpperCase() tiene algunas excepciones dependientes de la configuraci\u00f3n regional que podr\u00edan provocar que se consulten columnas no deseadas. Relacionado con CVE-2024-38820 https://spring.io/security/cve-2024-38820"}], "id": "CVE-2024-38829", "lastModified": "2024-12-10T15:15:07.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2024-12-04T21:15:24.103", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2024-38829"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "spring-ldap: Spring LDAP sensitive data exposure for case-sensitive comparisons", "id": "2330449", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330449"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-178", "details": ["A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820", "A flaw was found in Spring LDAP. The usage of String.toLowerCase() and String.toUpperCase() has some locale dependent exceptions that could result in unintended columns being queried."], "name": "CVE-2024-38829", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Fix deferred", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.springframework.ldap/spring-ldap-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-12-04T21:06:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38829\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38829\nhttps://spring.io/security/cve-2024-38829"], "threat_severity": "Low"}