The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Affected Packages

Maven org.springframework:spring-context

Affected versions: 6.1.0 (fixed in 6.1.14)

Maven org.springframework:spring-web

Affected versions: 6.1.0 (fixed in 6.1.14)

Maven org.springframework:spring-web

Affected versions: 6.0.0 (last affected: 6.0.24)

Maven org.springframework:spring-context

Affected versions: 6.0.0 (last affected: 6.0.24)

Maven org.springframework:spring-context

Affected versions: 0 (last affected: 5.3.40)

Maven org.springframework:spring-web

Affected versions: 0 (last affected: 5.3.40)

Related CVEs

CVE-2024-38820

Key Information

GHSA ID

GHSA-4gc7-5j7h-4qph

Published

October 18, 2024 6:30 AM

Last Modified

May 29, 2025 11:31 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework:spring-context

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.