Improper Handling of Case Sensitivity
CVE-2024-38820
Summary
The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some locale-dependent exceptions that could potentially result in fields not being protected as expected. This behaviour could allow attackers to bypass security measures that rely on accurate field filtering. The vulnerability affects spring framework versions through 5.3.39, 6.0.0 through 6.0.24, and 6.1.0 through 6.1.13.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-178 - Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
References
Advisory Timeline
- Published