CVE-2024-38827 MEDIUM

CVE-2024-38827: Spring Security Authorization Bypass for Case Sensitive Comparisons

Vendor Spring By Vmware Tanzu
Product Spring Security
Weakness CWE-639 · IDOR
Published December 2, 2024
Last update January 24, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Key dates

02Disclosure timeline

December 2, 2024 CVE published
January 24, 2025 Record updated