Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions docs/history/cves/cve-2024-38820.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
order: 77
---

# CVE-2024-38820

## Description

CVE-2024-38820 is a vulnerability in Spring Framework's DataBinder that could potentially allow attackers to bypass property access restrictions through manipulation of allowed fields.

## Severity

**Low** - After thorough code analysis across `rundeck`, `rundeckpro`, and `rundeck-plugins` repositories, no direct or indirect usage of DataBinder, disallowedFields, or setDisallowedFields was identified. The only matches found were in binary files, which does not indicate active use of the vulnerable functionality.

## Affected Versions

Since the vulnerable component is not used in Rundeck codebases, no versions are directly affected by this vulnerability.

## References

- [National Vulnerability Database - CVE-2024-38820](https://nvd.nist.gov/vuln/detail/CVE-2024-38820)
- [Spring Framework Security Advisory](https://tanzu.vmware.com/security/cve-2024-38820)
1 change: 1 addition & 0 deletions docs/history/cves/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,5 +49,6 @@ These are the Security Advisories Rundeck has issued in the past. It is always
* [CVE-2024-38807 Spring Boot false positive](cve-2024-38807.md).
* [CVE-2024-38816 Path traversal vulnerability in functional web frameworks](cve-2024-38816.md).
* [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md).
* [CVE-2024-38820 Spring Framework's DataBinder false positive](cve-2024-38820.md).
* [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md).
* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).