GHSA-q3v6-hm2v-pw99
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q3v6-hm2v-pw99
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q3v6-hm2v-pw99/GHSA-q3v6-hm2v-pw99.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q3v6-hm2v-pw99
- Aliases
-
- CVE-2024-38827
- Related
- Published
- 2024-12-02T15:31:41Z
- Modified
- 2026-02-04T03:10:40.993970Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Spring Framework has Authorization Bypass for Case Sensitive Comparisons
- Details
-
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
- Database specific
{ "nvd_published_at": "2024-12-02T15:15:11Z", "github_reviewed_at": "2024-12-02T20:04:17Z", "cwe_ids": [ "CWE-639" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-38827
- https://github.com/spring-projects/spring-framework/issues/33708
- https://github.com/spring-projects/spring-framework/issues/34232
- https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
- https://github.com/spring-projects/spring-security
- https://security.netapp.com/advisory/ntap-20250124-0007
- https://spring.io/security/cve-2024-38827
Affected packages
Maven
org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.7.14
Affected versions
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5.RELEASE
2.0.6.RELEASE
2.0.7.RELEASE
2.0.8.RELEASE
3.*
3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.0.8.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.1.5.RELEASE
3.1.6.RELEASE
3.1.7.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
4.*
4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.2.10.RELEASE
4.2.11.RELEASE
4.2.12.RELEASE
4.2.13.RELEASE
4.2.14.RELEASE
4.2.15.RELEASE
4.2.16.RELEASE
4.2.17.RELEASE
4.2.18.RELEASE
4.2.19.RELEASE
4.2.20.RELEASE
5.*
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE
5.3.8.RELEASE
5.3.9.RELEASE
5.3.10.RELEASE
5.3.11.RELEASE
5.3.12.RELEASE
5.3.13.RELEASE
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
5.6.10
5.6.11
5.6.12
5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.9
5.7.10
5.7.11
5.7.12
5.7.13
org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core
org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core
org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core
org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core
org.springframework.security:spring-security-core
Package
- Name
- org.springframework.security:spring-security-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.security/spring-security-core