Improper Handling of Case Sensitivity in org.springframework:spring-beans

CVE-2024-38820

org.springframework:spring-beans
org.springframework:spring-context
org.springframework:spring-context-support
org.springframework:spring-core
org.springframework:spring-core-test
org.springframework:spring-expression
org.springframework:spring-jdbc
org.springframework:spring-jms
org.springframework:spring-test
org.springframework:spring-web
org.springframework:spring-webflux
org.springframework:spring-webmvc
org.springframework:spring-websocket

Low

2.3/10

Summary

The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some locale-dependent exceptions that could potentially result in fields not being protected as expected. This behaviour could allow attackers to bypass security measures that rely on accurate field filtering. The vulnerability affects org.springframework packages in versions through 5.3.39, 6.0.0 through 6.0.24, 6.1.0 through 6.1.13, and 6.2.0-M1 through 6.2.0-RC1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-178 - Improper Handling of Case Sensitivity

The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

References

Advisory Timeline

Published Oct 18, 2024

Improper Handling of Case Sensitivity in org.springframework:spring-beans

CVE-2024-38820

Summary

CWE-178 - Improper Handling of Case Sensitivity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS