Blank password may bypass user authentication

HIGH | MARCH 11, 2014 | CVE-2014-0097

Description

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Affected Spring Products and Versions

Spring Security:

  • 3.2.0 - 3.2.1
  • 3.1.0 - 3.1.5

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
3.2.2OSS
3.1.6OSS

No further mitigation steps are necessary.

Credit

This issue was identified by the Spring Development team.

History

  • 2014-03-11: Initial vulnerability report published.
  • 2014-03-11: Affected versions corrected to add 3.1.0 to 3.1.5
  • 2014-06-19: Add mitigation for 3.1.x users

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all