Home

Description

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

PUBLISHED Reserved 2024-06-19 | Published 2024-10-18 | Updated 2024-11-29 | Assigner vmware




LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Product status

Default status
affected

5.3.x (Enterprise Support Only) before 5.3.41
affected

6.0.x (Enterprise Support Only) before 6.0.25
affected

6.1.x (OSS) before 6.1.14
affected

References

security.netapp.com/advisory/ntap-20241129-0003/

spring.io/security/cve-2024-38820

cve.org (CVE-2024-38820)

nvd.nist.gov (CVE-2024-38820)

Download JSON