CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception
(updated )
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
References
- github.com/advisories/GHSA-4gc7-5j7h-4qph
- github.com/spring-projects/spring-framework
- github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c
- github.com/spring-projects/spring-framework/commits/v6.2.0-RC2
- nvd.nist.gov/vuln/detail/CVE-2024-38820
- security.netapp.com/advisory/ntap-20241129-0003
- spring.io/security/cve-2024-38820
Detect and mitigate CVE-2024-38820 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →