The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38820.json",
"cna_assigner": "vmware",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "5.3.x"
},
{
"fixed": "5.3.41"
},
{
"introduced": "6.0.x"
},
{
"fixed": "6.0.25"
},
{
"introduced": "6.1.x"
},
{
"fixed": "6.1.14"
}
]
}
]
}