diff --git a/docs/history/cves/cve-2024-38820.md b/docs/history/cves/cve-2024-38820.md new file mode 100644 index 000000000..5f5c899fd --- /dev/null +++ b/docs/history/cves/cve-2024-38820.md @@ -0,0 +1,22 @@ +--- +order: 77 +--- + +# CVE-2024-38820 + +## Description + +CVE-2024-38820 is a vulnerability in Spring Framework's DataBinder that could potentially allow attackers to bypass property access restrictions through manipulation of allowed fields. + +## Severity + +**Low** - After thorough code analysis across `rundeck`, `rundeckpro`, and `rundeck-plugins` repositories, no direct or indirect usage of DataBinder, disallowedFields, or setDisallowedFields was identified. The only matches found were in binary files, which does not indicate active use of the vulnerable functionality. + +## Affected Versions + +Since the vulnerable component is not used in Rundeck codebases, no versions are directly affected by this vulnerability. + +## References + +- [National Vulnerability Database - CVE-2024-38820](https://nvd.nist.gov/vuln/detail/CVE-2024-38820) +- [Spring Framework Security Advisory](https://tanzu.vmware.com/security/cve-2024-38820) \ No newline at end of file diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md index 61ab0f3b1..8b40df841 100644 --- a/docs/history/cves/index.md +++ b/docs/history/cves/index.md @@ -49,5 +49,6 @@ These are the Security Advisories Rundeck has issued in the past. It is always * [CVE-2024-38807 Spring Boot false positive](cve-2024-38807.md). * [CVE-2024-38816 Path traversal vulnerability in functional web frameworks](cve-2024-38816.md). * [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md). +* [CVE-2024-38820 Spring Framework's DataBinder false positive](cve-2024-38820.md). * [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md). * [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md). \ No newline at end of file