======================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN486
_____________________________________________________________________

DATE                : 20/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring LDAP versions prior to
                              2.4.4, 3.0.10, 3.1.8, 3.2.8.

=====================================================================
https://spring.io/security/cve-2024-38829/
_____________________________________________________________________

CVE-2024-38829: Spring LDAP Spring LDAP sensitive data exposure for
case-sensitive comparisons

LOW | NOVEMBER 19, 2024 | CVE-2024-38829
Description

The usage of String.toLowerCase() and String.toUpperCase() has some
Locale dependent exceptions that could potentially result in
unintended columns from being queried

Related to CVE-2024-38820

Affected Spring Products and Versions

Spring LDAP:

     2.4.0 - 2.4.3
     3.0.0 - 3.0.9
     3.1.0 - 3.1.7
     3.2.0 - 3.2.7
     Older, unsupported versions are also affected


Mitigation

Users of affected versions should upgrade to the corresponding
fixed version.


Affected version(s) 	Fix version 	Availability

2.4.x 	2.4.4 	OSS
3.0.x 	3.0.10 	Commercial
3.1.x 	3.1.8 	Commercial
3.2.x 	3.2.8 	OSS

No other mitigation steps are necessary.


References

  
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================