The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.springframework:spring-context(Maven) | 6.1.0 | 6.1.14 | N/A |
| org.springframework:spring-web(Maven) | 6.1.0 | 6.1.14 | N/A |
| org.springframework:spring-web(Maven) | 6.0.0 | N/A | N/A |
| org.springframework:spring-context(Maven) | 6.0.0 | N/A | N/A |
| org.springframework:spring-context(Maven) | 0 | N/A | N/A |
| org.springframework:spring-web(Maven) | 0 | N/A | N/A |
CVSS Metrics
