CVE-2024-38820¶
WSO2 Products impacted: no
Customer actions required: Yes
REPORTED VULNERABILITY¶
This vulnerability affects spring-context because it builds on the DataBinder functionality in spring-core. The fix for CVE-2022-22968 made disallowedFields patterns case-insensitive by using String.toLowerCase(), which can behave inconsistently depending on the system locale. This could result in certain fields not being properly blocked during data binding and lead to unintended property exposure or modification.
REPORTED PRODUCTS¶
- WSO2 Identity Server 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0
WSO2 JUSTIFICATION¶
In WSO2 Identity Server, spring-context is used for internal dependency injection and component configuration. The product does not expose web endpoints or controllers that rely on user-supplied field names with DataBinder in any standard deployment.
A review of the codebase confirmed that there is no usage of DataBinder in areas where untrusted input could control bound field names. Therefore, no practical exploit scenario was identified.
However, WSO2 has forked the Spring Context 5.x version 1 and ported the relevant fix for this vulnerability from the Spring 6.x version 2. Relevant update level informations are listed below.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 Identity Server | 5.10.0 | 336 |
| WSO2 Identity Server | 5.11.0 | 382 |
| WSO2 Identity Server | 6.0.0 | 222 |
| WSO2 Identity Server | 6.1.0 | 209 |
| WSO2 Identity Server | 7.0.0 | 78 |