Skip to main content

Improper Handling of Case Sensitivity

CVE-2024-38820

Severity Medium
Score 5.3/10

Summary

The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some locale-dependent exceptions that could potentially result in fields not being protected as expected. This behaviour could allow attackers to bypass security measures that rely on accurate field filtering. The vulnerability affects spring framework versions through 5.3.39, 6.0.0 through 6.0.24, and 6.1.0 through 6.1.13.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-178 - Improper Handling of Case Sensitivity

The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Advisory Timeline

  • Published