Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-38820

Remote Code Execution
Affects
Spring Framework
>= 6.1.0, < 6.1.14 >= 6.0.0, < 6.0.25 < 5.3.41
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

An improper locale vulnerability (CVE-2024-38820) has been identified in Spring Framework, which could potentially result in fields not being protected as expected.

This issue affects all versions of Spring Framework.

Details

Module Info

  • Product: Spring Framework
  • Affected packages: spring-context, spring-core, spring-web, spring-webflux, spring-webmvc, spring-websocket 
  • Affected versions: >= 6.1.0, < 6.1.14, >= 6.0.0, < 6.0.25, < 5.3.41
  • GitHub repository: https://github.com/spring-projects/spring-framework
  • Package manager: Maven

Vulnerability Info

The fix for CVE-2022-22968 addressed most risks of case insensitivity but still left a potential weakness in the disallowedFields method. Java’s toLowerCase method uses the JVM’s default locale, which may cause fields to not be protected as expected, depending on the field and the JVM’s default locale.

Steps To Reproduce

The following test in DataBinderTests demonstrates the potential weakness. It shows a scenario where the JVM is running with a locale that causes a disallowed field to be set, resulting in the test failing. With the applied fix, the same test will pass.

@Test
	void setDisallowedFields_CVE_2024_38820() throws BindException  {
		// switching the default locale causes this test to break before the fix
		Locale.setDefault(Locale.forLanguageTag("tr-TR"));
		TestBean rod = new TestBean();
		DataBinder binder = new DataBinder(rod);
		binder.setDisallowedFields("JEDI");

		MutablePropertyValues pvs = new MutablePropertyValues();
		pvs.add("name", "Rod");
		pvs.add("jedi", "true");

		binder.bind(pvs);
		binder.close();

		assertThat(rod.getName()).as("changed name correctly").isEqualTo("Rod");
		assertThat(binder.getBindingResult().getSuppressedFields()).containsExactlyInAnyOrder("jedi");

Mitigation

Spring Framework 5.3 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

Pink arrow
Pink arrow
CVE-2024-38807
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-38820
PROJECT Affected
Spring Framework
Versions Affected
>= 6.1.0, < 6.1.14 >= 6.0.0, < 6.0.25 < 5.3.41
Published date
October 23, 2024
≈ Fix date
October 23, 2024
Fixed in
NES for Spring
Severity
Low
Category
Remote Code Execution