CVE-2024-38829
Spring LDAP sensitive data exposure for case-sensitive comparisons
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820
Una vulnerabilidad en VMware Tanzu Spring LDAP permite la exposición de datos para comparaciones que distinguen entre mayúsculas y minúsculas. Este problema afecta a Spring LDAP: de 2.4.0 a 2.4.3, de 3.0.0 a 3.0.9, de 3.1.0 a 3.1.7, de 3.2.0 a 3.2.7, Y todas las versiones anteriores a 2.4.0. El uso de String.toLowerCase() y String.toUpperCase() tiene algunas excepciones dependientes de la configuración regional que podrían provocar que se consulten columnas no deseadas. Relacionado con CVE-2024-38820 https://spring.io/security/cve-2024-38820
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-19 CVE Reserved
- 2024-12-04 CVE Published
- 2024-12-05 EPSS Updated
- 2024-12-10 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-178: Improper Handling of Case Sensitivity
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://spring.io/security/cve-2024-38829 | 2024-12-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Spring Search vendor "Spring" | Spring LDAP Search vendor "Spring" for product "Spring LDAP" | >= 2.4.0 <= 2.4.3 Search vendor "Spring" for product "Spring LDAP" and version " >= 2.4.0 <= 2.4.3" | en |
Affected
| ||||||
Spring Search vendor "Spring" | Spring LDAP Search vendor "Spring" for product "Spring LDAP" | >= 3.0.0 <= 3.0.9 Search vendor "Spring" for product "Spring LDAP" and version " >= 3.0.0 <= 3.0.9" | en |
Affected
| ||||||
Spring Search vendor "Spring" | Spring LDAP Search vendor "Spring" for product "Spring LDAP" | >= 3.1.0 <= 3.1.7 Search vendor "Spring" for product "Spring LDAP" and version " >= 3.1.0 <= 3.1.7" | en |
Affected
| ||||||
Spring Search vendor "Spring" | Spring LDAP Search vendor "Spring" for product "Spring LDAP" | >= 3.2.0 <= 3.2.7 Search vendor "Spring" for product "Spring LDAP" and version " >= 3.2.0 <= 3.2.7" | en |
Affected
| ||||||
Spring Search vendor "Spring" | Spring LDAP Search vendor "Spring" for product "Spring LDAP" | <= 2.4.0 Search vendor "Spring" for product "Spring LDAP" and version " <= 2.4.0" | en |
Affected
|