{"vulnerability": "CVE-2024-38820", "sightings": [{"uuid": "9313dce0-cc53-4511-b333-03f40a7ac91b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-38820", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/16737", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-22233\n\ud83d\udd25 CVSS Score: 3.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\ud83d\udd39 Description: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\n\nAffected Spring Products and Versions\n\nSpring Framework:\n  *  6.2.0 - 6.2.6\n\n  *  6.1.0 - 6.1.19\n\n  *  6.0.0 - 6.0.27\n\n  *  5.3.0 - 5.3.42\n  *  Older, unsupported versions are also affected\n\n\n\nMitigation\n\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix Version\u00a0Availability\u00a06.2.x\n 6.2.7\nOSS6.1.x\n 6.1.20\nOSS6.0.x\n 6.0.28\n Commercial https://enterprise.spring.io/ 5.3.x\n 5.3.43\n Commercial https://enterprise.spring.io/ \nNo further mitigation steps are necessary.\n\n\nGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\n\nFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\n\nCredit\n\nThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.\n\ud83d\udccf Published: 2025-05-16T19:14:07.500Z\n\ud83d\udccf Modified: 2025-05-16T19:14:07.500Z\n\ud83d\udd17 References:\n1. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N&version=3.1", "creation_timestamp": "2025-05-16T19:34:36.000000Z"}, {"uuid": "0d48e993-da2f-4628-a0ed-aae340a178c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "cve-2024-38820", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113596625680492138", "content": "", "creation_timestamp": "2024-12-04T21:15:49.897258Z"}, {"uuid": "0b300989-1bb4-482e-810d-858fa2c2fd0d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-38820", "type": "seen", "source": "https://t.me/cvedetector/12032", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-38829 - A vulnerability in VMware Tanzu Spring LDAP allows\", \n  \"Content\": \"CVE ID : CVE-2024-38829 \nPublished : Dec. 4, 2024, 9:15 p.m. | 43\u00a0minutes ago \nDescription : A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.  \n  \nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried  \nRelated to  CVE-2024-38820  \nSeverity: 3.7 | LOW \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"04 Dec 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-12-04T23:27:32.000000Z"}, {"uuid": "47e9f8b8-01ef-4242-b835-a346c75936a9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-38820", "type": "seen", "source": "https://t.me/cvedetector/8293", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-38820 - Apache Struts Case Insensitive Validation Bypass Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-38820 \nPublished : Oct. 18, 2024, 6:15 a.m. | 40\u00a0minutes ago \nDescription : The fix for CVE-2022-22968 made disallowedFields\u00a0patterns in DataBinder\u00a0case insensitive. However, String.toLowerCase()\u00a0has some Locale dependent exceptions that could potentially result in fields not protected as expected. \nSeverity: 3.1 | LOW \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-18T09:23:24.000000Z"}, {"uuid": "25bcb847-ec9c-4429-baf2-00214bd15813", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-38820", "type": "seen", "source": "", "content": "", "creation_timestamp": "2024-10-18T12:33:06.392446Z"}, {"uuid": "2c941c10-a3e6-40f0-ad41-26d4f407944f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-38820", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3m2pk24yreb2i", "content": "", "creation_timestamp": "2025-10-08T21:02:25.552809Z"}]}