CVE-2024-38829: Spring LDAP data exposure vulnerability

December 4, 2024 (updated December 10, 2024)

A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820

References

github.com/advisories/GHSA-mqvr-2rp8-j7h4
github.com/spring-projects/spring-ldap
nvd.nist.gov/vuln/detail/CVE-2024-38829
spring.io/security/cve-2024-38829

Detect and mitigate CVE-2024-38829 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →