CVE-2024-38820

CWE-178 CWE-20 — Improper Input Validation10 documents7 sources

Severity

5.3MEDIUM

EPSS

1.5%

top 19.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Vmware Spring Framework Spring Spring Framework

Timeline

PublishedOct 18

Latest updateMay 16

Description

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5vmware/spring5.3.x — 5.3.41+2

▶NVDvmware/spring_framework5.3.0 — 5.3.41+2

▶Mavenorg.springframework:spring-web6.1.0 — 6.1.14+2

▶Mavenorg.springframework:spring-context6.1.0 — 6.1.14+2

▶CVEListV5spring/spring_framework6.2.0 — 6.2.6+3

🔴Vulnerability Details

GHSA

Spring Framework DataBinder Case Sensitive Match Exception↗2025-05-16

▶

GHSA

Spring LDAP data exposure vulnerability↗2024-12-04

▶

CVEList

CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception↗2024-10-18

▶

OSV

Spring Framework DataBinder Case Sensitive Match Exception↗2024-10-18

▶

GHSA

Spring Framework DataBinder Case Sensitive Match Exception↗2024-10-18

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Spring Framework) — CVE-2024-38820↗2025-04-15

▶

Red Hat

spring-ldap: Spring LDAP sensitive data exposure for case-sensitive comparisons↗2024-12-04

▶

Debian

CVE-2024-38820: libspring-java - The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case ins...↗2024

▶