Spring Framework 5.3.0-5.3.40 and 6.1.0-6.1.13 - Case Sensitivity Bypass in DataBinder DisallowedFields
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.