View all vulnerabilities

CVE-2024-38820

Spring Framework DataBinder Case Sensitive Match Exception

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
5.3
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Versions
org.springframework:spring-context >= 6.1.0 < 6.1.14; org.springframework:spring-web >= 6.1.0 < 6.1.14; org.springframework:spring-web >= 6.0.0; org.springframework:spring-context >= 6.0.0
Severity
Medium
Ecosystem
Publish Date
October 18, 2024
Modified Date
May 29, 2025