Bug 2330449 (CVE-2024-38829)

Summary: CVE-2024-38829 spring-ldap: Spring LDAP sensitive data exposure for case-sensitive comparisons
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, cmiranda, darran.lofthouse, dkreling, dosoudil, fjuma, fmariani, gmalinko, istudens, ivassile, iweiss, janstey, jpoth, kaycoth, lgao, mosmerov, msochure, msvehla, nwallace, pcongius, pdelbell, pesilva, pjindal, pmackay, rstancel, rstepani, smaestri, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring LDAP. The usage of String.toLowerCase() and String.toUpperCase() has some locale dependent exceptions that could result in unintended columns being queried.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-12-04 22:01:10 UTC 
A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried
Related to  CVE-2024-38820 https://spring.io/security/cve-2024-38820