A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820

Affected Packages

Maven org.springframework.ldap:spring-ldap-core

Affected versions: 3.0.0 (fixed in 3.2.8)

Maven org.springframework.ldap:spring-ldap-core

Affected versions: 0 (fixed in 2.4.4)

Related CVEs

CVE-2024-38829

Key Information

GHSA ID

GHSA-mqvr-2rp8-j7h4

Published

December 4, 2024 9:30 PM

Last Modified

December 10, 2024 4:29 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.ldap:spring-ldap-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.