Seal Security

CVE-2024-38827

Spring Framework has Authorization Bypass for Case Sensitive Comparisons

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

4.7

Score Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Versions

org.springframework.security:spring-security-core < 5.7.14; org.springframework.security:spring-security-core >= 5.8.0 < 5.8.16; org.springframework.security:spring-security-core >= 6.0.0 < 6.0.14; org.springframework.security:spring-security-core >= 6.1.0 < 6.1.12; org.springframework.security:spring-security-core >= 6.2.0 < 6.2.8; org.springframework.security:spring-security-core >= 6.3.0 < 6.3.5

Severity

Medium

Ecosystem

Publish Date

December 2, 2024

Modified Date

January 24, 2025