CVE-2024-38820

LOW

DataBinder - Info Disclosure

Title source: llm

Description

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Exploits (1)

nomisec WORKING POC

by kadamnayan · poc

https://github.com/kadamnayan/POC-CVE-2024-38820

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://spring.io/security/cve-2024-38820

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20241129-0003/

Scores

CVSS v3 3.1

EPSS 0.0151

EPSS Percentile 81.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-178

Status published

Products (3)

org.springframework/spring-context 6.1.0 - 6.1.14Maven

org.springframework/spring-web 6.1.0 - 6.1.14Maven

vmware/spring_framework 5.3.0 - 5.3.41

Published Oct 18, 2024

Tracked Since Feb 18, 2026