CVE-2024-38827 - Vulnerability Details - OpenCVE

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-38827
https://security.netapp.com/advisory/ntap-20250124-0007/
https://spring.io/security/cve-2024-38827
https://www.cve.org/CVERecord?id=CVE-2024-38827

History

Fri, 24 Jan 2025 20:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250124-0007/

Tue, 03 Dec 2024 01:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-38827 https://www.cve.org/CVERecord?id=CVE-2024-38827
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 02 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
Description		The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Title		Spring Security Authorization Bypass for Case Sensitive Comparisons
Weaknesses		CWE-639
References		https://spring.io/security/cve-2024-38827
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2024-12-02T14:32:12.471Z

Updated: 2025-01-24T20:03:06.325Z

Reserved: 2024-06-19T22:32:07.790Z

Link: CVE-2024-38827

Vulnrichment

Updated: 2024-12-02T15:27:20.844Z

NVD

Status : Awaiting Analysis

Published: 2024-12-02T15:15:11.270

Modified: 2025-01-24T20:15:32.553

Link: CVE-2024-38827

Redhat

Severity : Moderate

Publid Date: 2024-12-02T14:32:12Z

Links: CVE-2024-38827 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38827", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2024-06-19T22:32:07.790Z", "datePublished": "2024-12-02T14:32:12.471Z", "dateUpdated": "2025-01-24T20:03:06.325Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Spring Security", "vendor": "Spring by VMware Tanzu", "versions": [{"status": "affected", "version": "5.7.0 - 5.7.13, 5.8.0 - 5.8.15, 6.0.0 - 6.0.13, 6.1.0 - 6.1.11, 6.2.0 - 6.2.7, 6.3.0 - 6.3.4, Older unsupported versions are also affected"}]}], "datePublic": "2024-11-19T14:17:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The usage of </span><code>String.toLowerCase()</code><span style=\"background-color: rgb(255, 255, 255);\"> and </span><code>String.toUpperCase()</code><span style=\"background-color: rgb(255, 255, 255);\"> has some </span><code>Locale</code><span style=\"background-color: rgb(255, 255, 255);\"> dependent exceptions that could potentially result in authorization rules not working properly.</span>\n\n<br>"}], "value": "The usage of String.toLowerCase()\u00a0and String.toUpperCase()\u00a0has some Locale\u00a0dependent exceptions that could potentially result in authorization rules not working properly."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-12-02T14:32:12.471Z"}, "references": [{"url": "https://spring.io/security/cve-2024-38827"}], "source": {"advisory": "cve-2024-38827", "discovery": "UNKNOWN"}, "title": "Spring Security Authorization Bypass for Case Sensitive Comparisons", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-02T15:27:02.642978Z", "id": "CVE-2024-38827", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-02T15:27:27.060Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250124-0007/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-24T20:03:06.325Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38827", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-02T15:27:02.642978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-02T15:27:20.844Z"}}], "cna": {"title": "Spring Security Authorization Bypass for Case Sensitive Comparisons", "source": {"advisory": "cve-2024-38827", "discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring by VMware Tanzu", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0 - 5.7.13, 5.8.0 - 5.8.15, 6.0.0 - 6.0.13, 6.1.0 - 6.1.11, 6.2.0 - 6.2.7, 6.3.0 - 6.3.4, Older unsupported versions are also affected"}], "defaultStatus": "unaffected"}], "datePublic": "2024-11-19T14:17:00.000Z", "references": [{"url": "https://spring.io/security/cve-2024-38827"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The usage of String.toLowerCase()\u00a0and String.toUpperCase()\u00a0has some Locale\u00a0dependent exceptions that could potentially result in authorization rules not working properly.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The usage of </span><code>String.toLowerCase()</code><span style=\"background-color: rgb(255, 255, 255);\"> and </span><code>String.toUpperCase()</code><span style=\"background-color: rgb(255, 255, 255);\"> has some </span><code>Locale</code><span style=\"background-color: rgb(255, 255, 255);\"> dependent exceptions that could potentially result in authorization rules not working properly.</span>\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2024-12-02T14:32:12.471Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38827", "state": "PUBLISHED", "dateUpdated": "2024-12-02T15:27:27.060Z", "dateReserved": "2024-06-19T22:32:07.790Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2024-12-02T14:32:12.471Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"bugzilla": {"description": "spring-security: authorization bypass for case sensitive comparisons", "id": "2329971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329971"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-639", "details": ["The usage of String.toLowerCase()\u00a0and String.toUpperCase()\u00a0has some Locale\u00a0dependent exceptions that could potentially result in authorization rules not working properly."], "name": "CVE-2024-38827", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "spring-security-core", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.springframework.security/spring-security-core", "product_name": "streams for Apache Kafka"}], "public_date": "2024-12-02T14:32:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38827\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38827\nhttps://spring.io/security/cve-2024-38827"], "threat_severity": "Moderate"}