.. _vulnerabilityManagement_skip_registry_33x_CVE-2024-38820:

CVE-2024-38820 CVE-2025-22233
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2024-10-29

Severity: Medium

CVSS Score:  5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Riferimenti:  

- `https://nvd.nist.gov/vuln/detail/CVE-2024-38820 <https://nvd.nist.gov/vuln/detail/CVE-2024-38820>`_
- `https://ossindex.sonatype.org/vulnerability/CVE-2024-38820 <https://ossindex.sonatype.org/vulnerability/CVE-2024-38820>`_
- `https://spring.io/security/cve-2024-38820 <https://spring.io/security/cve-2024-38820>`_

Libreria: org.springframework:\* < 5.3.41

**Descrizione**

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. 

However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

**Falso Positivo per GovWay**

Nel progetto vengono utilizzate delle versioni ricompilate dei seguenti jar:

- spring-beans-5.3.39-gov4j-2.jar
- spring-context-5.3.39-gov4j-2.jar
- spring-context-support-5.3.39-gov4j-2.jar
- spring-core-5.3.39-gov4j-2.jar
- spring-expression-5.3.39-gov4j-2.jar
- spring-web-5.3.39-gov4j-2.jar

La tag version 'v5.3.39' è stata modificata per riportare il `contenuto delle modifiche <https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c.diff>`_ evidenziate nel commit `23656ae <https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c>`_ sul progetto github `spring-projects/spring-framework <https://github.com/spring-projects/spring-framework>`_. Il commit `23656ae <https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c>`_ contiene il fix *'Use Locale.ROOT consistently for toLower/toUpperCase'* riferito nel `advisory-database di github <https://github.com/github/advisory-database/pull/4946>`_ come risoluzione per `CVE-2024-38820 <https://github.com/advisories/GHSA-4gc7-5j7h-4qph>`_.

Inoltre sono state riportate le modifiche evidenziate nel commit `edfcc6f <https://github.com/spring-projects/spring-framework/commit/edfcc6ffb188e4614ec9b212e3208b666981851c>`_ sul progetto github `spring-projects/spring-framework <https://github.com/spring-projects/spring-framework>`_ relative alla classe 'org.springframework.validation.DataBinder'.

All'interno degli archivi jar è possibile trovare i file patch che sono stati applicati sui sorgenti del tag 'v5.3.39' oltre ai sorgenti '\.java' delle classi modificate.

Configuration File: `false-positive.xml <https://raw.githubusercontent.com/link-it/govway/master/mvn/dependencies/owasp/falsePositives/CVE-2024-38820.xml>`_