Fluid Attacks Database

Description

Spring Framework DataBinder Case Sensitive Match Exception The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-web	>=6.1.0 <6.1.14 \|\| >=6.0.0 <=6.0.24 \|\| >=0 <=5.3.40	6.1.14
maven	org.springframework:spring-context	>=6.1.0 <6.1.14 \|\| >=6.0.0 <=6.0.24 \|\| >=0 <=5.3.40	6.1.14

Aliases

1. CVE-2024-388202. NVD-2024-388203. OSV-DEBIAN-2024-388204. OSV-2024-388205. GCVE-2024-388206. SECURITY-TRACKER-CVE-2024-38820

References

1. https://github.com/kadamnayan/POC-CVE-2024-388202. https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c3. https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC24. https://security.netapp.com/advisory/ntap-20241129-00035. https://spring.io/security/cve-2024-38820