Описание
Spring Framework has Authorization Bypass for Case Sensitive Comparisons
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-38827
- https://github.com/spring-projects/spring-framework/issues/33708
- https://github.com/spring-projects/spring-framework/issues/34232
- https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
- https://security.netapp.com/advisory/ntap-20250124-0007
- https://spring.io/security/cve-2024-38827
Пакеты
org.springframework.security:spring-security-core
< 5.7.14
5.7.14
org.springframework.security:spring-security-core
>= 5.8.0, < 5.8.16
5.8.16
org.springframework.security:spring-security-core
>= 6.0.0, < 6.0.14
6.0.14
org.springframework.security:spring-security-core
>= 6.1.0, < 6.1.12
6.1.12
org.springframework.security:spring-security-core
>= 6.2.0, < 6.2.8
6.2.8
org.springframework.security:spring-security-core
>= 6.3.0, < 6.3.5
6.3.5
Связанные уязвимости
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
The usage of String.toLowerCase()and String.toUpperCase()has some Loca ...
Уязвимость функций String.toLowerCase() и String.toUpperCase() Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю обойти процесс авторизации