CVE-2024-38827 (GCVE-0-2024-38827)

Vulnerability from cvelistv5 – Published: 2024-12-02 14:32 – Updated: 2025-01-24 20:03
VLAI
Title
Spring Security Authorization Bypass for Case Sensitive Comparisons
Summary
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Severity
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Spring by VMware Tanzu Spring Security Affected: 5.7.0 - 5.7.13, 5.8.0 - 5.8.15, 6.0.0 - 6.0.13, 6.1.0 - 6.1.11, 6.2.0 - 6.2.7, 6.3.0 - 6.3.4, Older unsupported versions are also affected
Create a notification for this product.
Date Public
2024-11-19 14:17
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38827",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-02T15:27:02.642978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-02T15:27:27.060Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-24T20:03:06.325Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250124-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring by VMware Tanzu",
          "versions": [
            {
              "status": "affected",
              "version": "5.7.0 - 5.7.13, 5.8.0 - 5.8.15, 6.0.0 - 6.0.13, 6.1.0 - 6.1.11, 6.2.0 - 6.2.7, 6.3.0 - 6.3.4, Older unsupported versions are also affected"
            }
          ]
        }
      ],
      "datePublic": "2024-11-19T14:17:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe usage of \u003c/span\u003e\u003ccode\u003eString.toLowerCase()\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003ccode\u003eString.toUpperCase()\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;has some \u003c/span\u003e\u003ccode\u003eLocale\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;dependent exceptions that could potentially result in authorization rules not working properly.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "The usage of String.toLowerCase()\u00a0and String.toUpperCase()\u00a0has some Locale\u00a0dependent exceptions that could potentially result in authorization rules not working properly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-02T14:32:12.471Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2024-38827"
        }
      ],
      "source": {
        "advisory": "cve-2024-38827",
        "discovery": "UNKNOWN"
      },
      "title": "Spring Security Authorization Bypass for Case Sensitive Comparisons",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2024-38827",
    "datePublished": "2024-12-02T14:32:12.471Z",
    "dateReserved": "2024-06-19T22:32:07.790Z",
    "dateUpdated": "2025-01-24T20:03:06.325Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-38827",
      "date": "2026-06-20",
      "epss": "0.00377",
      "percentile": "0.29354"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The usage of String.toLowerCase()\\u00a0and String.toUpperCase()\\u00a0has some Locale\\u00a0dependent exceptions that could potentially result in authorization rules not working properly.\"}, {\"lang\": \"es\", \"value\": \"El uso de String.toLowerCase() y String.toUpperCase() tiene algunas excepciones dependientes de la configuraci\\u00f3n regional que podr\\u00edan provocar que las reglas de autorizaci\\u00f3n no funcionen correctamente.\"}]",
      "id": "CVE-2024-38827",
      "lastModified": "2024-12-02T15:15:11.270",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@vmware.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 2.5}]}",
      "published": "2024-12-02T15:15:11.270",
      "references": "[{\"url\": \"https://spring.io/security/cve-2024-38827\", \"source\": \"security@vmware.com\"}]",
      "sourceIdentifier": "security@vmware.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@vmware.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38827\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2024-12-02T15:15:11.270\",\"lastModified\":\"2025-01-24T20:15:32.553\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The usage of String.toLowerCase()\u00a0and String.toUpperCase()\u00a0has some Locale\u00a0dependent exceptions that could potentially result in authorization rules not working properly.\"},{\"lang\":\"es\",\"value\":\"El uso de String.toLowerCase() y String.toUpperCase() tiene algunas excepciones dependientes de la configuraci\u00f3n regional que podr\u00edan provocar que las reglas de autorizaci\u00f3n no funcionen correctamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://spring.io/security/cve-2024-38827\",\"source\":\"security@vmware.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250124-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-38827\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-02T15:27:02.642978Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T15:27:20.844Z\"}}], \"cna\": {\"title\": \"Spring Security Authorization Bypass for Case Sensitive Comparisons\", \"source\": {\"advisory\": \"cve-2024-38827\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring by VMware Tanzu\", \"product\": \"Spring Security\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7.0 - 5.7.13, 5.8.0 - 5.8.15, 6.0.0 - 6.0.13, 6.1.0 - 6.1.11, 6.2.0 - 6.2.7, 6.3.0 - 6.3.4, Older unsupported versions are also affected\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-11-19T14:17:00.000Z\", \"references\": [{\"url\": \"https://spring.io/security/cve-2024-38827\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The usage of String.toLowerCase()\\u00a0and String.toUpperCase()\\u00a0has some Locale\\u00a0dependent exceptions that could potentially result in authorization rules not working properly.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe usage of \u003c/span\u003e\u003ccode\u003eString.toLowerCase()\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;and \u003c/span\u003e\u003ccode\u003eString.toUpperCase()\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;has some \u003c/span\u003e\u003ccode\u003eLocale\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;dependent exceptions that could potentially result in authorization rules not working properly.\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2024-12-02T14:32:12.471Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-38827\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-02T15:27:27.060Z\", \"dateReserved\": \"2024-06-19T22:32:07.790Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2024-12-02T14:32:12.471Z\", \"assignerShortName\": \"vmware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.