{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56305?format=json","vulnerability_id":"VCID-d9ff-bg7q-43dh","summary":"Spring LDAP data exposure vulnerability\nA vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820","aliases":[{"alias":"CVE-2024-38829"},{"alias":"GHSA-mqvr-2rp8-j7h4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83456?format=json","purl":"pkg:maven/org.springframework.ldap/spring-ldap-core@2.4.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.ldap/spring-ldap-core@2.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/83455?format=json","purl":"pkg:maven/org.springframework.ldap/spring-ldap-core@3.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.ldap/spring-ldap-core@3.2.8"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1175296?format=json","purl":"pkg:maven/org.springframework.ldap/spring-ldap-core@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d9ff-bg7q-43dh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.ldap/spring-ldap-core@3.0.0"}],"references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38829.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38829.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-38829","reference_id":"","reference_type":"","scores":[{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.3234","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32417","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32317","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32347","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00132","scoring_system":"epss","scoring_elements":"0.32385","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-38829"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38829","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38829"},{"reference_url":"https://github.com/spring-projects/spring-ldap","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-ldap"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330449","reference_id":"2330449","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38829","reference_id":"CVE-2024-38829","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38829"},{"reference_url":"https://spring.io/security/cve-2024-38829","reference_id":"CVE-2024-38829","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T17:10:00Z/"}],"url":"https://spring.io/security/cve-2024-38829"},{"reference_url":"https://github.com/advisories/GHSA-mqvr-2rp8-j7h4","reference_id":"GHSA-mqvr-2rp8-j7h4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqvr-2rp8-j7h4"}],"weaknesses":[{"cwe_id":178,"name":"Improper Handling of Case Sensitivity","description":"The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"3.7 - 6.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d9ff-bg7q-43dh"}