Spring Framework DataBinder Case Sensitive Match Exception

GHSA-4gc7-5j7h-4qph · CVE-2024-38820

Published Oct 18, 2024 · Modified Feb 4, 2026

Description

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-38820
WEB https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c
PACKAGE https://github.com/spring-projects/spring-framework
WEB https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2
WEB https://security.netapp.com/advisory/ntap-20241129-0003
WEB https://spring.io/security/cve-2024-38820

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes