CVE-2024-38827 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=0 <5.7.14 || >=5.8.0 <5.8.16 || >=6.0.0 <6.0.14 || >=6.1.0 <6.1.12 || >=6.2.0 <6.2.8 || >=6.3.0 <6.3.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00111 pctl0.30155

Details

Spring Framework has Authorization Bypass for Case Sensitive Comparisons The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Metadata

Created: 2024-12-02T15:31:41Z
Modified: 2025-01-24T21:31:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q3v6-hm2v-pw99/GHSA-q3v6-hm2v-pw99.json
CWE IDs: ["CWE-639"]
Alternative ID: GHSA-q3v6-hm2v-pw99
Finding: F039
Auto approve: 1