CVE-2024-38829

LOW3.7EPSS 0.14%

Spring LDAP data exposure vulnerability

Published: 12/4/2024Modified: 4/28/2026

Description

A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820

Affected packages (2)

Debian/libspring-javafrom 0
Maven/org.springframework.ldap:spring-ldap-core>= 3.0.0, < 3.2.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-38829
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-38829
PATCHhttps://github.com/spring-projects/spring-ldap
WEBhttps://spring.io/security/cve-2024-38829