Skip to content

Commit 67a67fb

Browse files
authored
Merge pull request #1672 from rundeck/RUN-3152
Add CVE-2024-38820 Finding
2 parents e134d6c + 70bcd55 commit 67a67fb

2 files changed

Lines changed: 23 additions & 0 deletions

File tree

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
---
2+
order: 77
3+
---
4+
5+
# CVE-2024-38820
6+
7+
## Description
8+
9+
CVE-2024-38820 is a vulnerability in Spring Framework's DataBinder that could potentially allow attackers to bypass property access restrictions through manipulation of allowed fields.
10+
11+
## Severity
12+
13+
**Low** - After thorough code analysis across `rundeck`, `rundeckpro`, and `rundeck-plugins` repositories, no direct or indirect usage of DataBinder, disallowedFields, or setDisallowedFields was identified. The only matches found were in binary files, which does not indicate active use of the vulnerable functionality.
14+
15+
## Affected Versions
16+
17+
Since the vulnerable component is not used in Rundeck codebases, no versions are directly affected by this vulnerability.
18+
19+
## References
20+
21+
- [National Vulnerability Database - CVE-2024-38820](https://nvd.nist.gov/vuln/detail/CVE-2024-38820)
22+
- [Spring Framework Security Advisory](https://tanzu.vmware.com/security/cve-2024-38820)

docs/history/cves/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,5 +49,6 @@ These are the Security Advisories Rundeck has issued in the past. It is always
4949
* [CVE-2024-38807 Spring Boot false positive](cve-2024-38807.md).
5050
* [CVE-2024-38816 Path traversal vulnerability in functional web frameworks](cve-2024-38816.md).
5151
* [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md).
52+
* [CVE-2024-38820 Spring Framework's DataBinder false positive](cve-2024-38820.md).
5253
* [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md).
5354
* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).

0 commit comments

Comments
 (0)