Description
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Remediation
References
https://tanzu.vmware.com/security/cve-2022-22968
https://security.netapp.com/advisory/ntap-20220602-0004/
https://www.oracle.com/security-alerts/cpujul2022.html
Related Vulnerabilities
CVE-2021-21119 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-30548 Vulnerability in npm package gatsby-plugin-sharp
CVE-2022-26336 Vulnerability in maven package org.apache.poi:poi-scratchpad
CVE-2018-17193 Vulnerability in maven package org.apache.nifi:nifi-web-utils
CVE-2022-43419 Vulnerability in maven package org.jenkins-ci.plugins:katalon