- CVE ID
- CVE-2024-38820
- CVE Description
- The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
- Published
- Oct 21, 2024
- CVSS Score & Severity
5.3Medium
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- EPSS Score
- 1.473%
- KEV Status
Not in KEV Catalog: No known exploits
- Vulnerable Methods
org/springframework/validation/DataBinder.isAllowed(Ljava/lang/String;)ZJVMVulnerable params: 0
org/springframework/validation/DataBinder.setDisallowedFields([Ljava/lang/String;)VJVMVulnerable params: 0
- Source
- National Vulnerability Database