Описание
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Уязвимые конфигурации
Конфигурация 1Версия от 5.3.0 (включая) до 5.3.41 (исключая)Версия от 6.0.0 (включая) до 6.0.25 (исключая)Версия от 6.1.0 (включая) до 6.1.14 (исключая)
Одно из
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
EPSS
Процентиль: 9%
0.00036
Низкий
3.1 Low
CVSS3
5.3 Medium
CVSS3
Дефекты
NVD-CWE-noinfo
CWE-178
Связанные уязвимости
CVSS3: 3.1
ubuntu
8 месяцев назад
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
CVSS3: 3.1
debian
8 месяцев назад
The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ...
CVSS3: 5.3
github
8 месяцев назад
Spring Framework DataBinder Case Sensitive Match Exception
EPSS
Процентиль: 9%
0.00036
Низкий
3.1 Low
CVSS3
5.3 Medium
CVSS3
Дефекты
NVD-CWE-noinfo
CWE-178