Why did we take our current approach to CVE-2024-38820?
CVE-2024-38820 details a path traversal vulnerability in Spring. Per Spring’s advisory on the matter(https://spring.io/security/cve-2024-38820)-
“The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected”.
Neither the Spring DataBinder class or the disallowedFields method is utilized in RadiantOne IDDM, and therefore is not impacted by this vulnerability.
Is there additional context around this exploit?
This is a medium severity vulnerability per the National Vulnerability Database. There is not a great deal of reporting on this vulnerability, aside from it being a flaw in the fix for CVE-2022-22968.
Is RadiantOne IDDM going to have an updated version of Spring?
We are currently testing RadiantOne IDDM with the latest release of the Spring Framework (5.3.41). This update will be released that contains these updated libraries. It is being targeted for 7.4.13 and for respective releases of version 8.
Is Radiant Logic’s SaaS offering for IDDM impacted by this vulnerability?
Radiant Logic IDDM is not impacted for reasons stated above, but an update to the SaaS offering for IDDM will be released that encompasses the Spring Security update.
Is Identity Analytics Impacted by This?
Neither the Spring DataBinder class or the disallowedFields method is utilized in RadiantOne IA, and therefore is not impacted by this vulnerability.
Is CFS Impacted by This?
No, CFS is a .NET product that does not use any Java libraries.
Comments
Article is closed for comments.