Vulnerabilites related to Spring - Spring LDAP
CVE-2024-38829 (GCVE-0-2024-38829)
Vulnerability from cvelistv5
Published
2024-12-04 21:06
Modified
2024-12-10 14:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring LDAP |
Version: 2.4.0 Version: 3.0.0 Version: 3.1.0 Version: 3.2.0 Version: 0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T17:10:00.599129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T17:10:15.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring LDAP",
"vendor": "Spring",
"versions": [
{
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "2.4.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "3.0.9",
"status": "affected",
"version": "3.0.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "3.1.7",
"status": "affected",
"version": "3.1.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "3.2.7",
"status": "affected",
"version": "3.2.0",
"versionType": "Spring LDAP"
},
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "0",
"versionType": "Spring LDAP"
}
]
}
],
"datePublic": "2024-11-19T21:04:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.\u003cp\u003eThis issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\u003c/p\u003eThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\u003cbr\u003e\u003cp\u003eRelated to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2024-38820\"\u003eCVE-2024-38820\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "CAPEC-NOINFO"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T14:33:55.692Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://spring.io/security/cve-2024-38829"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring LDAP sensitive data exposure for case-sensitive comparisons",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-38829",
"datePublished": "2024-12-04T21:06:05.021Z",
"dateReserved": "2024-06-19T22:32:07.790Z",
"dateUpdated": "2024-12-10T14:33:55.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}