======================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN485
_____________________________________________________________________

DATE                : 20/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Security versions prior
                     to 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5.

=====================================================================
https://spring.io/security/cve-2024-38827/
_____________________________________________________________________

CVE-2024-38827: Spring Security Authorization Bypass for Case
Sensitive Comparisons

MEDIUM | NOVEMBER 19, 2024 | CVE-2024-38827
Description

The usage of String.toLowerCase() and String.toUpperCase() has some
Locale dependent exceptions that could potentially result in
authorization rules not working properly.

Related to CVE-2024-38820


Affected Spring Products and Versions

Spring Security:

     5.7.0 - 5.7.13
     5.8.0 - 5.8.15
     6.0.0 - 6.0.13
     6.1.0 - 6.1.11
     6.2.0 - 6.2.7
     6.3.0 - 6.3.4
     Older, unsupported versions are also affected


Mitigation

Users of affected versions should upgrade to the corresponding fixed
version.

Affected version(s) 	Fix version 	Availability

5.7.x 	5.7.14 	Enterprise Support Only
5.8.x 	5.8.16 	Enterprise Support Only
6.0.x 	6.0.14 	Enterprise Support Only
6.1.x 	6.1.12 	Enterprise Support Only
6.2.x 	6.2.8 	OSS
6.3.x 	6.3.5 	OSS


References

  
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================