CVE-2024-38827 (Medium) detected in multiple libraries

[mend-for-github-com]

CVE-2024-38827 - Medium Severity Vulnerability

Vulnerable Libraries - spring-security-crypto-5.8.7.jar, spring-security-web-5.8.7.jar, spring-security-core-5.8.7.jar

spring-security-crypto-5.8.7.jar

Spring Security

Library home page: https://spring.io

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-crypto/5.8.7/d69ea3cac23fa4c567f342180cd7150d06de5e6b/spring-security-crypto-5.8.7.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • spring-security-core-5.8.7.jar
      • ❌ spring-security-crypto-5.8.7.jar (Vulnerable Library)

spring-security-web-5.8.7.jar

Spring Security

Library home page: https://spring.io

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-web/5.8.7/b28db4ea3fb69adf99d2a10e61b55c5869518193/spring-security-web-5.8.7.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ spring-security-web-5.8.7.jar (Vulnerable Library)

spring-security-core-5.8.7.jar

Spring Security

Library home page: https://spring.io

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/5.8.7/916c9b391ef6e606806dbe2fc9c8b4ff5a853cdf/spring-security-core-5.8.7.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-security-core-5.8.7.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Publish Date: 2024-12-02

URL: CVE-2024-38827

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38827

Release Date: 2024-12-02

Fix Resolution: org.springframework.security:spring-security-cas:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-config:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-core:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-crypto:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-ldap:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-oauth2-client:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-taglibs:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5, org.springframework.security:spring-security-web:5.7.14,5.8.16,6.0.14,6.1.12,6.2.8,6.3.5