CVE-2014-0097 Fixed in Spring Security 3.2.2 and 3.1.6

Spring Security 3.2.2 (change log) and 3.1.6 (change log) have been released and are available in Maven Central.

Among the highlights, these two releases resolve CVE-2014-0097 which allows a malicious user to impersonate a user with an empty password if ALL of the following hold true:

  • The application is using ActiveDirectoryLdapAuthenticator
  • The directory allows anonymous binds (not recommended)

NOTE: This does NOT impact users of LdapAuthenticationProvider or <ldap-authentication-provider>

For full details on the releases, please refer to the previously mentioned change logs.

comments powered by Disqus