Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Security Advisories
CVE-2014-0097 Blank password may bypass user authentication
Description
The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
Affected Spring Products and Versions
- Spring Security 3.2.0 to 3.2.1
- Spring Security 3.1.0 to 3.1.5
Mitigation
Users of affected versions should apply the following mitigation:
- Users of 3.2.x should upgrade to 3.2.2 or later
- Users of 3.1.x should upgrade to 3.1.6 or later
Credit
This issue was identified by the Spring Development team.
References
- https://jira.springsource.org/browse/SEC-2500
- https://github.com/spring-projects/spring-security/commit/88559882e967085c47a7e1dcbc4dc32c2c796868
- https://github.com/spring-projects/spring-security/commit/7dbb8e777ece8675f3333a1ef1cb4d6b9be80395
- https://github.com/spring-projects/spring-security/commit/a7005bd74241ac8e2e7b38ae31bc4b0f641ef973
History
2014-Mar-11: Initial vulnerability report published
- 2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
- 2014-Jun-19: Add mitigation for 3.1.x users
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all