Spring Security Advisories

CVE-2014-0097 Blank password may bypass user authentication

HIGH | MARCH 11, 2014 | CVE-2014-0097


The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Affected Spring Products and Versions

  • Spring Security 3.2.0 to 3.2.1
  • Spring Security 3.1.0 to 3.1.5


Users of affected versions should apply the following mitigation:

  • Users of 3.2.x should upgrade to 3.2.2 or later
  • Users of 3.1.x should upgrade to 3.1.6 or later


This issue was identified by the Spring Development team.


  • 2014-Mar-11: Initial vulnerability report published
  • 2014-Mar-11: Affected versions corrected to add 3.1.0 to 3.1.5
  • 2014-Jun-19: Add mitigation for 3.1.x users

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all