CVE-2024-38829 (GCVE-0-2024-38829)
Vulnerability from cvelistv5
Published
2024-12-04 21:06
Modified
2024-12-10 14:33
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
Summary
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820
References
Impacted products
Vendor Product Version
Spring Spring LDAP Version: 2.4.0
Version: 3.0.0
Version: 3.1.0
Version: 3.2.0
Version: 0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38829",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-05T17:10:00.599129Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-05T17:10:15.259Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring LDAP",
          "vendor": "Spring",
          "versions": [
            {
              "lessThanOrEqual": "2.4.3",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "Spring LDAP"
            },
            {
              "lessThanOrEqual": "3.0.9",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "Spring LDAP"
            },
            {
              "lessThanOrEqual": "3.1.7",
              "status": "affected",
              "version": "3.1.0",
              "versionType": "Spring LDAP"
            },
            {
              "lessThanOrEqual": "3.2.7",
              "status": "affected",
              "version": "3.2.0",
              "versionType": "Spring LDAP"
            },
            {
              "lessThanOrEqual": "2.4.0",
              "status": "affected",
              "version": "0",
              "versionType": "Spring LDAP"
            }
          ]
        }
      ],
      "datePublic": "2024-11-19T21:04:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.\u003cp\u003eThis issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\u003c/p\u003eThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\u003cbr\u003e\u003cp\u003eRelated to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2024-38820\"\u003eCVE-2024-38820\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to  CVE-2024-38820 https://spring.io/security/cve-2024-38820"
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-NOINFO"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-10T14:33:55.692Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://spring.io/security/cve-2024-38829"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spring LDAP sensitive data exposure for case-sensitive comparisons",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2024-38829",
    "datePublished": "2024-12-04T21:06:05.021Z",
    "dateReserved": "2024-06-19T22:32:07.790Z",
    "dateUpdated": "2024-12-10T14:33:55.692Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38829\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2024-12-04T21:15:24.103\",\"lastModified\":\"2024-12-10T15:15:07.593\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\\n\\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\\nRelated to  CVE-2024-38820 https://spring.io/security/cve-2024-38820\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en VMware Tanzu Spring LDAP permite la exposici\u00f3n de datos para comparaciones que distinguen entre may\u00fasculas y min\u00fasculas. Este problema afecta a Spring LDAP: de 2.4.0 a 2.4.3, de 3.0.0 a 3.0.9, de 3.1.0 a 3.1.7, de 3.2.0 a 3.2.7, Y todas las versiones anteriores a 2.4.0. El uso de String.toLowerCase() y String.toUpperCase() tiene algunas excepciones dependientes de la configuraci\u00f3n regional que podr\u00edan provocar que se consulten columnas no deseadas. Relacionado con CVE-2024-38820 https://spring.io/security/cve-2024-38820\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-178\"}]}],\"references\":[{\"url\":\"https://spring.io/security/cve-2024-38829\",\"source\":\"security@vmware.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-38829\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-05T17:10:00.599129Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-05T17:10:09.922Z\"}}], \"cna\": {\"title\": \"Spring LDAP sensitive data exposure for case-sensitive comparisons\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-NOINFO\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring LDAP\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.4.0\", \"versionType\": \"Spring LDAP\", \"lessThanOrEqual\": \"2.4.3\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"versionType\": \"Spring LDAP\", \"lessThanOrEqual\": \"3.0.9\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"versionType\": \"Spring LDAP\", \"lessThanOrEqual\": \"3.1.7\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"versionType\": \"Spring LDAP\", \"lessThanOrEqual\": \"3.2.7\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Spring LDAP\", \"lessThanOrEqual\": \"2.4.0\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-11-19T21:04:00.000Z\", \"references\": [{\"url\": \"https://spring.io/security/cve-2024-38829\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\\n\\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\\nRelated to  CVE-2024-38820 https://spring.io/security/cve-2024-38820\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.\u003cp\u003eThis issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\u003c/p\u003eThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\u003cbr\u003e\u003cp\u003eRelated to \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://spring.io/security/cve-2024-38820\\\"\u003eCVE-2024-38820\u003c/a\u003e\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-178\", \"description\": \"CWE-178\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2024-12-10T14:33:55.692Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-38829\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-10T14:33:55.692Z\", \"dateReserved\": \"2024-06-19T22:32:07.790Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2024-12-04T21:06:05.021Z\", \"assignerShortName\": \"vmware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.