Improper Input Validation

Summary

CVE-2024-38820 ensured locale-independent, lowercase conversion for both the configured "disallowedFields" patterns and for request parameter names. However, there are still cases where it is possible to bypass the "disallowedFields" checks. Generally, it is recommended to use a dedicated model object with properties only for data binding or to use constructor binding, since constructor arguments explicitly declare what to bind, together with turning off setter binding through the "declarativeBinding" flag. See the Model Design section in the reference documentation. For setter binding, prefer using "allowedFields" (an explicit list) over "disallowedFields". This issue affects org.springframework:spring-context versions through 5.3.39-atlassian-4, 6.0.0-M1 through 6.0.23, 6.1.0-M1 through 6.1.19, 6.2.0-M1 through 6.2.6, and 7.0.0-M1 through 7.0.0-M4. Credit: This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.